Your message dated Sun, 03 Jun 2012 03:36:05 +0000
with message-id <[email protected]>
and subject line Bug#626506: fixed in libpam-krb5 4.6-1
has caused the Debian Bug report #626506,
regarding libpam-krb5: Add an option so pam_krb5 won't prompt for password (use
the kerberos prompt instead)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
626506: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=626506
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-krb5
Version: 4.4-1
Severity: wishlist
Tags: upstream patch
Some preauth plugins have their own password prompts, and with pam_krb5 always
asking for password, the result is two password prompts (when the first might
be ignored, as the preauth can replace the key).
I suggest a no_password option to solve this issue. Attached is a patch that
does it.
Thanks,
Yair.
-- System Information:
Debian Release: wheezy/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38.4-rt-1 (SMP w/6 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libpam-krb5 depends on:
ii krb5-config 2.2 Configuration files for Kerberos V
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libkrb5-3 1.9+dfsg-1+b1 MIT Kerberos runtime libraries
ii libpam-runtime 1.1.2-2 Runtime support for the PAM librar
ii libpam0g 1.1.2-2 Pluggable Authentication Modules l
libpam-krb5 recommends no packages.
libpam-krb5 suggests no packages.
-- no debconf information
diff --git a/auth.c b/auth.c
index 9821edd..0643505 100644
--- a/auth.c
+++ b/auth.c
@@ -689,7 +689,7 @@ pamk5_password_auth(struct pam_args *args, const char *service,
goto done;
}
do {
- if ((pass == NULL || *pass == '\0') && !args->try_pkinit) {
+ if ((pass == NULL || *pass == '\0') && !args->try_pkinit && !args->no_password) {
const char *prompt = (service == NULL) ? NULL : "Current";
retry = 0;
diff --git a/internal.h b/internal.h
index c9bdb11..c54c444 100644
--- a/internal.h
+++ b/internal.h
@@ -76,6 +76,7 @@ struct pam_args {
krb5_deltat lifetime; /* Lifetime of credentials. */
int minimum_uid; /* Ignore users below this UID. */
int no_ccache; /* Don't create a ticket cache. */
+ int no_password; /* don't prompt for password */
int prompt_princ; /* Prompt for the Kerberos principal. */
char *realm; /* Default realm. */
krb5_deltat renew_lifetime; /* Renewable lifetime of credentials. */
diff --git a/options.c b/options.c
index 121161a..9aabf4a 100644
--- a/options.c
+++ b/options.c
@@ -308,6 +308,7 @@ pamk5_args_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
default_boolean(args, c, "ignore_root", 0, &args->ignore_root);
default_string(args, c, "keytab", NULL, &args->keytab);
default_number(args, c, "minimum_uid", 0, &args->minimum_uid);
+ default_boolean(args, c, "no_password", 0, &args->no_password);
default_boolean(args, c, "only_alt_auth", 0, &args->only_alt_auth);
default_string(args, c, "pkinit_anchors", NULL, &args->pkinit_anchors);
default_boolean(args, c, "pkinit_prompt", 0, &args->pkinit_prompt);
@@ -392,6 +393,8 @@ pamk5_args_parse(pam_handle_t *pamh, int flags, int argc, const char **argv)
args->minimum_uid = atoi(&argv[i][strlen("minimum_uid=")]);
else if (strcmp(argv[i], "no_ccache") == 0)
args->no_ccache = 1;
+ else if (strcmp(argv[i], "no_password") == 0)
+ args->no_password = 1;
else if (strcmp(argv[i], "only_alt_auth") == 0)
args->only_alt_auth = 1;
else if (strncmp(argv[i], "pkinit_anchors=", 15) == 0) {
diff --git a/pam_krb5.pod b/pam_krb5.pod
index 75b4b7f..8cc1a93 100644
--- a/pam_krb5.pod
+++ b/pam_krb5.pod
@@ -269,6 +269,15 @@ system account incorrectly authenticating as that system account.
This option can be set in F<krb5.conf>.
+=item no_password
+
+Don't force a password prompt. Instead, let kerberos prompt for the
+password. This is useful when, e.g. a preauth is responsible for password
+prompting which otherwise will result with two password prompts.
+
+With this option the pam's authtok isn't set, which might cause some problems
+if any other pam module/function requires it.
+
=item only_alt_auth
This option is used with I<alt_auth_map> and forces the use of the mapped
--- End Message ---
--- Begin Message ---
Source: libpam-krb5
Source-Version: 4.6-1
We believe that the bug you reported is fixed in the latest version of
libpam-krb5, which is due to be installed in the Debian FTP archive:
libpam-heimdal_4.6-1_i386.deb
to main/libp/libpam-krb5/libpam-heimdal_4.6-1_i386.deb
libpam-krb5_4.6-1.debian.tar.xz
to main/libp/libpam-krb5/libpam-krb5_4.6-1.debian.tar.xz
libpam-krb5_4.6-1.dsc
to main/libp/libpam-krb5/libpam-krb5_4.6-1.dsc
libpam-krb5_4.6-1_i386.deb
to main/libp/libpam-krb5/libpam-krb5_4.6-1_i386.deb
libpam-krb5_4.6.orig.tar.xz
to main/libp/libpam-krb5/libpam-krb5_4.6.orig.tar.xz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <[email protected]> (supplier of updated libpam-krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Sat, 02 Jun 2012 19:20:27 -0700
Source: libpam-krb5
Binary: libpam-krb5 libpam-heimdal
Architecture: source i386
Version: 4.6-1
Distribution: unstable
Urgency: low
Maintainer: Russ Allbery <[email protected]>
Changed-By: Russ Allbery <[email protected]>
Description:
libpam-heimdal - PAM module for Heimdal Kerberos
libpam-krb5 - PAM module for MIT Kerberos
Closes: 626506 626509
Changes:
libpam-krb5 (4.6-1) unstable; urgency=low
.
* New upstream release.
- New anon_fast option to attempt anonymous authentication and use
those credentials to provide FAST armor. (Closes: #626509)
- New user_realm option to set the realm for unqualified user
principals without changing the default realm for all other
operations.
- New no_prompt option to suppress PAM prompting in favor of letting
the Kerberos library handle it. (Closes: #626506)
- New silent option that duplicates the behavior of PAM_SILENT.
- New trace option for preliminary support of Kerberos trace logging.
- Fix the doubled colon in password prompts from Heimdal.
- Preserve the realm of the authentication identity when forming an
alt_auth_map identity.
- Allow the alt_auth_map format to contain a realm to force all mapped
principals to be in that realm.
- Avoid a NULL pointer dereference if krb5_init_context fails.
(LP: #998525)
- Close memory leaks in search_k5login and alt_auth_map.
- Suppress bogus error messages about the realm option.
- Retry authentication under try_first_pass for several other error
conditions.
* Regenerate the Autotools build system with dh-autoreconf.
* Add krb5-config to Build-Depends so that the test programs don't abort
with errors about not having a Kerberos configuration.
* Switch to xz compression for the upstream and Debian tarballs.
* Enable parallel builds.
* Update standards version to 3.9.3 (no changes required).
Checksums-Sha1:
d7e4075f7d67b1ef90f4a7801961d77a83276680 1709 libpam-krb5_4.6-1.dsc
25bf04e8a4aeafa35eaa9791e7d0c2fc792f9551 365272 libpam-krb5_4.6.orig.tar.xz
069dbdaf64b81f700a853d08eccd10b23f3794cc 17856 libpam-krb5_4.6-1.debian.tar.xz
c7d97a2077f815aef7ed7520c3345c4afe123cf1 89780 libpam-krb5_4.6-1_i386.deb
87bf02de66184f3f307598e45beceb9571697652 86696 libpam-heimdal_4.6-1_i386.deb
Checksums-Sha256:
fc2c69b68cd85a702f4f130111ebf93fc250dcb5fba539f09ed81092aaac1b34 1709
libpam-krb5_4.6-1.dsc
2f6f8a664ce0cedc0419894b4f98668e87fe4d01c7c882019e242a3f993881a7 365272
libpam-krb5_4.6.orig.tar.xz
5af83be9a09a6ca18e17d1aa615d2b018dea8618d5b33f6d4180ef899994af7f 17856
libpam-krb5_4.6-1.debian.tar.xz
5075f13a4b5886d6ad68f45fdc1ae57eea7dcc3e258499504922bbb381b1f34d 89780
libpam-krb5_4.6-1_i386.deb
481040e8c13fee55af855b39a0e7b86b49001112ac0cd24d600233610f9f4463 86696
libpam-heimdal_4.6-1_i386.deb
Files:
0a4055290c7ae7eb86d076e21365f251 1709 admin optional libpam-krb5_4.6-1.dsc
9c24d6b5c7205bd6d3224f0ee821e45a 365272 admin optional
libpam-krb5_4.6.orig.tar.xz
f58cc0577474f766bb518d20bce627dc 17856 admin optional
libpam-krb5_4.6-1.debian.tar.xz
bd86f122a06dff2e82607e5c5100b793 89780 admin optional
libpam-krb5_4.6-1_i386.deb
8784ddeaf8e3f4a3e17950fea3d737f8 86696 admin extra
libpam-heimdal_4.6-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJPysyzAAoJEH2AMVxXNt516XAIAK19HGEbGMq+IIaszK2xz2nC
KKBJxnHm7oOHcSbbDrna6WrWp0Y/zHRQN/Ef+cCCTNWCMzmrBl2LtoZsB4Ucjydm
whpFD82a36ftqsfavkll+OdfTeCOC17C5+trGWMSEs0r3zxJ3sJGVcLcCGpeoHre
kR1OfbjRiezBc9F/dn7yKBJ3wGRyp8mty6is2EKrUVoSUPprcWnyJkyM0R5H/ADq
4rrrd7EGZVhQkdgGDdW9QupXM/CF5z7RP0pEkUwN1kiZP/mVpx3LodI6BznV1mVO
v+UTFLCVGbLC2tbEP9KC8PzNH4hNCcbz9RCmeOaiqePVPNsGdjJ3/m3aLjk0+1A=
=zwUg
-----END PGP SIGNATURE-----
--- End Message ---
