Re: PAM credential cleanup

[David Lee]

On Sun, 18 Apr 2004, Fredrik Tolf wrote:

> I'm using the UW IMAP imapd in my network on a GNU/Linux host, along
> with Kerberos authentication, and plaintext passwords using PAM and
> the pam_krb5 module.
>
> The pam_krb5 module saves the user's decoded ticket in /tmp upon a
> call to pam_setcred. However, imapd deliberately doesn't clean up
> these tickets when the user logs out, which leaves /tmp on the mail
> server filled up with users' tickets. To remedy this, I patched imapd
> and ipop3d to fix this, and so I thought I'd send you a patch in case
> you want it. The problem is that I don't really know much about the
> portability issues in the UW IMAP suite, so the patch isn't really
> complete because of that. I would fix it, but I don't know exactly
> how.

Could I add my (e-)voice in support of addressing this?  Some months ago,
we, too, had this problem of "/tmp" filling up with literally millions of
orphaned krb5 credentials files.  (imap-2002e but I think the problem has
been around for longer: a copy of "imap-2001a" also has this same code.)

My own work around (fudge) was a simpler version than that of Fredrik
Tolf: I simply re-enabled the code that had been '#if 0'd out.  (I cannot
judge on which is "better": his may well be more thorough.)

==================== snip ===================
--- src/osdep/unix/ckp_pam.c.orig       Tue Apr 30 03:32:27 2002
+++ src/osdep/unix/ckp_pam.c    Sat Jan 17 12:26:31 2004
@@ -100,7 +100,7 @@
    */
   pam_open_session (hdl,NIL);  /* make sure account doesn't go inactive */
 #endif
-#if 0
+#if 1
   /*
    * This is also a problem.  Apparently doing this breaks access to DFS home
    * space (hence the #if 0), but there is a report that not doing it causes
==================== snip ===================

The code that should be removing the credentials has been '#if 0'd (i.e.
commented out) because of a problem in one particular operating
environment, DFS.  If that environment needs special treatment, then
wouldn't it be much cleaner make the "#if ..." target only that system or
feature.  (If c-client were using autoconf, I would volunteer to assist a
DFS person to code the relevant autoconf test, but we're not so I can't.)

Somehow, could this be addressed, please  Many thanks.

Sorry for not reporting it earlier: I considered it, but thought that I
would have been a lone voice, pleading a minority interest corner.  It is
at least reassuring to know that there are more of us.

Thanks again, Mark, for a great product!

-- 

:  David Lee                                I.T. Service          :
:  Systems Programmer                       Computer Centre       :
:                                           University of Durham  :
:  http://www.dur.ac.uk/t.d.lee/            South Road            :
:                                           Durham                :
:  Phone: +44 191 334 2752                  U.K.                  :