On Sun, 18 Apr 2004, Fredrik Tolf wrote:
> I'm using the UW IMAP imapd in my network on a GNU/Linux host, along
> with Kerberos authentication, and plaintext passwords using PAM and
> the pam_krb5 module.
>
> The pam_krb5 module saves the user's decoded ticket in /tmp upon a
> call to pam_setcred. However, imapd deliberately doesn't clean up
> these tickets when the user logs out, which leaves /tmp on the mail
> server filled up with users' tickets. To remedy this, I patched imapd
> and ipop3d to fix this, and so I thought I'd send you a patch in case
> you want it. The problem is that I don't really know much about the
> portability issues in the UW IMAP suite, so the patch isn't really
> complete because of that. I would fix it, but I don't know exactly
> how.
Could I add my (e-)voice in support of addressing this? Some months ago,
we, too, had this problem of "/tmp" filling up with literally millions of
orphaned krb5 credentials files. (imap-2002e but I think the problem has
been around for longer: a copy of "imap-2001a" also has this same code.)
My own work around (fudge) was a simpler version than that of Fredrik
Tolf: I simply re-enabled the code that had been '#if 0'd out. (I cannot
judge on which is "better": his may well be more thorough.)
==================== snip ===================
--- src/osdep/unix/ckp_pam.c.orig Tue Apr 30 03:32:27 2002
+++ src/osdep/unix/ckp_pam.c Sat Jan 17 12:26:31 2004
@@ -100,7 +100,7 @@
*/
pam_open_session (hdl,NIL); /* make sure account doesn't go inactive */
#endif
-#if 0
+#if 1
/*
* This is also a problem. Apparently doing this breaks access to DFS home
* space (hence the #if 0), but there is a report that not doing it causes
==================== snip ===================
The code that should be removing the credentials has been '#if 0'd (i.e.
commented out) because of a problem in one particular operating
environment, DFS. If that environment needs special treatment, then
wouldn't it be much cleaner make the "#if ..." target only that system or
feature. (If c-client were using autoconf, I would volunteer to assist a
DFS person to code the relevant autoconf test, but we're not so I can't.)
Somehow, could this be addressed, please Many thanks.
Sorry for not reporting it earlier: I considered it, but thought that I
would have been a lone voice, pleading a minority interest corner. It is
at least reassuring to know that there are more of us.
Thanks again, Mark, for a great product!
--
: David Lee I.T. Service :
: Systems Programmer Computer Centre :
: University of Durham :
: http://www.dur.ac.uk/t.d.lee/ South Road :
: Durham :
: Phone: +44 191 334 2752 U.K. :
