Hi!
I'm using the UW IMAP imapd in my network on a GNU/Linux host, along
with Kerberos authentication, and plaintext passwords using PAM and
the pam_krb5 module.
The pam_krb5 module saves the user's decoded ticket in /tmp upon a
call to pam_setcred. However, imapd deliberately doesn't clean up
these tickets when the user logs out, which leaves /tmp on the mail
server filled up with users' tickets. To remedy this, I patched imapd
and ipop3d to fix this, and so I thought I'd send you a patch in case
you want it. The problem is that I don't really know much about the
portability issues in the UW IMAP suite, so the patch isn't really
complete because of that. I would fix it, but I don't know exactly
how.
Fredrik Tolf
--- ./src/c-client/env.h~ 2001-11-20 22:56:35.000000000 +0100
+++ ./src/c-client/env.h 2004-04-18 15:11:48.000000000 +0200
@@ -30,6 +30,7 @@ long server_input_wait (long seconds);
void server_init (char *server,char *service,char *sasl,
void *clkint,void *kodint,void *hupint,void *trmint);
long server_login (char *user,char *pass,char *authuser,int argc,char *argv[]);
+void server_logout (void);
long authserver_login (char *user,char *authuser,int argc,char *argv[]);
long anonymous_login (int argc,char *argv[]);
char *mylocalhost (void);
--- ./src/imapd/imapd.c~ 2003-07-08 05:21:50.000000000 +0200
+++ ./src/imapd/imapd.c 2004-04-18 15:05:19.068400584 +0200
@@ -1163,6 +1163,7 @@ int main (int argc,char *argv[])
}
syslog (LOG_INFO,"Logout user=%.80s host=%.80s",user ? user : "???",
tcp_clienthost ());
+ server_logout();
exit (0); /* all done */
return 0; /* stupid compilers */
}
--- ./src/ipopd/ipop3d.c~ 2003-01-17 17:49:31.000000000 +0100
+++ ./src/ipopd/ipop3d.c 2004-04-18 15:05:06.451318672 +0200
@@ -463,6 +463,7 @@ int main (int argc,char *argv[])
tcp_clienthost ());
PSOUT (sayonara); /* "now it's time to say sayonara..." */
PFLUSH (); /* make sure output finished */
+ server_logout();
exit (0); /* all done */
return 0; /* stupid compilers */
}
--- ./src/osdep/unix/env_unix.c~ 2003-07-15 03:30:00.000000000 +0200
+++ ./src/osdep/unix/env_unix.c 2004-04-18 15:06:34.414946168 +0200
@@ -561,6 +561,11 @@ long server_login (char *user,char *pwd,
sleep (3); /* slow down possible cracker */
return NIL;
}
+
+void server_logout (void)
+{
+ destroy_cred();
+}
�
/* Authenticated server log in
* Accepts: user name string
--- ./src/osdep/unix/env_unix.h~ 2002-02-23 05:03:45.000000000 +0100
+++ ./src/osdep/unix/env_unix.h 2004-04-18 15:13:01.000000000 +0200
@@ -91,6 +91,7 @@ void grim_pid_reap_status (int pid,int k
long safe_write (int fd,char *buf,long nbytes);
void *arm_signal (int sig,void *action);
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[]);
+void destroy_cred (void);
long loginpw (struct passwd *pw,int argc,char *argv[]);
long pw_login (struct passwd *pw,char *auser,char *user,char *home,int argc,
char *argv[]);
--- ./src/osdep/unix/ckp_pam.c~ 2002-04-30 04:32:27.000000000 +0200
+++ ./src/osdep/unix/ckp_pam.c 2004-04-18 15:08:37.545227520 +0200
@@ -25,6 +25,8 @@ struct checkpw_cred {
char *pass; /* password */
};
+static pam_handle_t *hdl = NULL;
+
/* PAM conversation function
* Accepts: number of messages
* vector of messages
@@ -69,7 +71,6 @@ static int checkpw_conv (int num_msg,con
struct passwd *checkpw (struct passwd *pw,char *pass,int argc,char *argv[])
{
- pam_handle_t *hdl;
struct pam_conv conv;
struct checkpw_cred cred;
conv.conv = &checkpw_conv;
@@ -100,15 +101,14 @@ struct passwd *checkpw (struct passwd *p
*/
pam_open_session (hdl,NIL); /* make sure account doesn't go inactive */
#endif
-#if 0
- /*
- * This is also a problem. Apparently doing this breaks access to DFS home
- * space (hence the #if 0), but there is a report that not doing it causes
- * the credentials to stick around long after the server process is gone.
- */
- /* clean up */
- pam_setcred (hdl,PAM_DELETE_CRED);
-#endif
- pam_end (hdl,PAM_SUCCESS); /* return success */
return pw;
}
+
+void destroy_cred (void)
+{
+ if(hdl == NULL)
+ return;
+ pam_close_session (hdl,NIL);
+ pam_setcred (hdl,PAM_DELETE_CRED);
+ pam_end (hdl,PAM_SUCCESS);
+}
