Bug#492039: marked as done (libpam-krb5: document ssh requirement for session group)

[Debian Bug Tracking System]

Your message dated Tue, 17 Feb 2009 16:32:07 +0000
with message-id <e1lzsrf-0007sn...@ries.debian.org>
and subject line Bug#492039: fixed in libpam-krb5 3.13-2
has caused the Debian Bug report #492039,
regarding libpam-krb5: document ssh requirement for session group
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
492039: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=492039
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpam-krb5
Version: 2.6-1
Severity: normal


By default, for ssh logins that are authenticated by prompting
for a kerberos password, pam_krb5.so will put user credentials
in /tmp/krb5cc_0, overwriting any existing file by that name,
no matter which user owns the file.

The ccache option is supposed to allow customizing the name of
the credentials file.  Regarding that option, the man page
says:

    This option can be set in krb5.conf and is only
    applicable to the auth and session groups.

This is incorrect -- ccache cannot be set in krb5.conf

Instead, the ccache option must be specified on the pam_krb5.so
command line in /etc/pam.d/common-session as stated in
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=341926
Presumably the ccache_dir option has the same problem, but I
did not investigate this.

An email associated with bug 341926 mentions updating the NEWS
file to make people aware of this, but I saw no such entry in
the NEWS file or any mention of it in the README files.

Unless the code is modified to match the man page description,
the behavior of the ccache option should be more clearly
documented.


-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-6-amd64
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libpam-krb5 depends on:
ii  krb 1.16                                 Configuration files for Kerberos V
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 common error description library
ii  lib 1.4.4-7etch5                         MIT Kerberos runtime libraries
ii  lib 0.79-5                               Pluggable Authentication Modules l

libpam-krb5 recommends no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libpam-krb5
Source-Version: 3.13-2

We believe that the bug you reported is fixed in the latest version of
libpam-krb5, which is due to be installed in the Debian FTP archive:

libpam-krb5_3.13-2.diff.gz
  to pool/main/libp/libpam-krb5/libpam-krb5_3.13-2.diff.gz
libpam-krb5_3.13-2.dsc
  to pool/main/libp/libpam-krb5/libpam-krb5_3.13-2.dsc
libpam-krb5_3.13-2_i386.deb
  to pool/main/libp/libpam-krb5/libpam-krb5_3.13-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 492...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <r...@debian.org> (supplier of updated libpam-krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 17 Feb 2009 07:50:53 -0800
Source: libpam-krb5
Binary: libpam-krb5
Architecture: source i386
Version: 3.13-2
Distribution: unstable
Urgency: high
Maintainer: Russ Allbery <r...@debian.org>
Changed-By: Russ Allbery <r...@debian.org>
Description: 
 libpam-krb5 - PAM module for MIT Kerberos
Closes: 492039 492379
Changes: 
 libpam-krb5 (3.13-2) unstable; urgency=low
 .
   * Upload to unstable.
 .
 libpam-krb5 (3.13-1) experimental; urgency=high
 .
   * New upstream release.
     - SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore
       user environment variables that specify the local keytab and
       Kerberos configuration.  Protects against a privilege escalation
       vulnerability.
     - SECURITY (CVE-2009-0361): Protect against applications calling
       pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid
       context.  This API call is designed to reinitialize an existing
       Kerberos ticket cache and therefore trusts the KRB5CCNAME
       environment variable, but in a setuid context, this may allow
       overwriting arbitrary files.
   * Install the upstream NEWS file as an upstream changelog.
   * Add ${misc:Depends} to the package dependencies.
   * Improve wording for the GPL pointer.  The package may be distributed
     under any version of the GPL.
 .
 libpam-krb5 (3.12-1) experimental; urgency=low
 .
   * New upstream release.
     - New alt_auth_map, force_alt_auth, and only_alt_auth options to map
       usernames to alternative Kerberos principals for authentication.
     - Log to authpriv, not auth.
     - Correctly log an exit status of ignore during debugging.
     - Document ssh session requirement.  (Closes: #492039)
     - Document ignore handling with [] actions.  (Closes: #492379)
   * Update to debhelper compatibility mode V7.
     - Use debhelper rule minimization except for configure.
     - Let the upstream Makefile do the installation.
   * Remove NEWS.Debian, only of interest in upgrades from sarge.
Checksums-Sha1: 
 036bb6a80627a33abfe6a2454c4d0938901da62f 1214 libpam-krb5_3.13-2.dsc
 7a388e71e1a78d8fa400393e4a73aaa936b99182 13399 libpam-krb5_3.13-2.diff.gz
 0a4314f896e487395d9559a148d9844f2145f65f 65640 libpam-krb5_3.13-2_i386.deb
Checksums-Sha256: 
 1fbabd88ec3122be6258e61fd439f3048d38b3707ff388b7ed257843e856acd0 1214 
libpam-krb5_3.13-2.dsc
 1fdefd3da0ae2b21dd65a2db46150403c5fa456e588e8dac8e3978603d44e319 13399 
libpam-krb5_3.13-2.diff.gz
 07bc914759334df38cf0287dd7591b318360ced19f69d85e116f8eb30a85c6f1 65640 
libpam-krb5_3.13-2_i386.deb
Files: 
 4ad33a91361b5e3bbbf035cc4b2b3f77 1214 net optional libpam-krb5_3.13-2.dsc
 ece147f60624687d34770d74af073e5f 13399 net optional libpam-krb5_3.13-2.diff.gz
 5391de0bab2d4c8754c1e73d507d8f75 65640 net optional libpam-krb5_3.13-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkma49MACgkQ+YXjQAr8dHalKACeIEzCQKqKgD11yCWfD92YoTzk
xe0An0xza26bfY3OUAWJpF9yCiQbXmji
=NThh
-----END PGP SIGNATURE-----

--- End Message ---