Bug#871699: marked as done (libpam-krb5: Add no_subsequent_prompt option)

[Debian Bug Tracking System]

Your message dated Tue, 31 Mar 2020 03:33:46 +0000
with message-id <e1jj7es-0006ea...@fasolo.debian.org>
and subject line Bug#871699: fixed in libpam-krb5 4.9-1
has caused the Debian Bug report #871699,
regarding libpam-krb5: Add no_subsequent_prompt option
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
871699: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871699
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libpam-krb5
Version: 4.7-4
Severity: normal

Dear Maintainer,

Please add no_subsequent_prompt option to pam_krb5. This option is implemented in redhat and very useful.

Example:

auth        required      pam_env.so

auth [success=ok ignore=2 authinfo_unavail=2 default=die] pam_pkcs11.so card_only auth [default=ignore] pam_krb5.so no_initial_prompt no_subsequent_prompt

auth        sufficient    pam_permit.so
auth        sufficient    pam_krb5.so
auth        required      pam_deny.so

This pam configuration allows authorization by username/password with obtaining kerberos ticket ONLY if smartcard is not inserted. If smartcard is inserted, authorization is possible ONLY by pkcs11 and kerberos ticket is obtained by pam_krb5 using certificate without asking PIN again.

I am unable to create the same configuration using pam_krb5 with try_pkinit option because of pam_krb5 will ask password if pkinit failed due invalid PIN.

-- System Information:
Debian Release: 9.1
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)

Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8), LANGUAGE=ru_RU.UTF-8 (charmap=UTF-8)

Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libpam-krb5 depends on:
ii  krb5-config     2.6
ii  libc6           2.24-11+deb9u1
ii  libkrb5-3       1.15-1
ii  libpam-runtime  1.1.8-3.6
ii  libpam0g        1.1.8-3.6

libpam-krb5 recommends no packages.

libpam-krb5 suggests no packages.

-- no debconf information

--- End Message ---

--- Begin Message ---

Source: libpam-krb5
Source-Version: 4.9-1
Done: Russ Allbery <r...@debian.org>

We believe that the bug you reported is fixed in the latest version of
libpam-krb5, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 871...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Russ Allbery <r...@debian.org> (supplier of updated libpam-krb5 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 30 Mar 2020 19:46:43 -0700
Binary: libpam-heimdal libpam-heimdal-dbgsym libpam-krb5 libpam-krb5-dbgsym
Source: libpam-krb5
Architecture: amd64 source
Version: 4.9-1
Distribution: unstable
Urgency: high
Maintainer: Russ Allbery <r...@debian.org>
Changed-By: Russ Allbery <r...@debian.org>
Closes: 871699
Description: 
 libpam-heimdal - PAM module for Heimdal Kerberos
 libpam-krb5 - PAM module for MIT Kerberos
Changes:
 libpam-krb5 (4.9-1) unstable; urgency=high
 .
   * New upstream release.
     - Fix potential one-byte buffer overflow when relaying prompts from
       the underlying Kerberos library.  (CVE-2020-10595)
     - Support use_pkinit with MIT Kerberos.  (Closes: #871699)
     - Reject passwords as long or longer than PAM_MAX_RESP_SIZE (512
       octets) to avoid denial of service attacks.
     - Use explicit_bzero to erase passwords before freeing.
     - Return more accurate errors from the Kerberos prompter function.
     - Fix an edge-case memory leak in pam_chauthtok.
   * Update to debhelper compatibility level V12.
     - Depend on debhelper-compat instead of debhelper.
   * Update standards version to 4.5.0 (no changes required).
   * Refresh upstream signing key.
Checksums-Sha1: 
 739fe416845921cf4a40cd01aa5377901cdc5e2d 1806 libpam-krb5_4.9-1.dsc
 b37899ef082bf27ed778c924029cbe7cd6ce653e 424932 libpam-krb5_4.9.orig.tar.xz
 ffd23ede7094eaa342c5d8ba3e3cf8935f67d3a7 26168 libpam-krb5_4.9-1.debian.tar.xz
 51ee0e9ca557039bee7156f8e2d07abcc2989536 62868 
libpam-heimdal-dbgsym_4.9-1_amd64.deb
 08d5ed1542909301f9551c3225ecfe7d80aee1d0 88744 libpam-heimdal_4.9-1_amd64.deb
 4ab86904d5d245479d46062cfb19bd810a475dd6 61396 
libpam-krb5-dbgsym_4.9-1_amd64.deb
 461e8621280a89cc69fc186a0c1e67bc77adb953 7612 libpam-krb5_4.9-1_amd64.buildinfo
 3fb7e90406d53ecee79ac9ec9cf8d6c57d634b1b 91924 libpam-krb5_4.9-1_amd64.deb
Checksums-Sha256: 
 0e6437ff7c99688f3eea12b534e119a845657c769aed05870744a0266cf673a5 1806 
libpam-krb5_4.9-1.dsc
 915445fd492c8afde497090760035043edba44660d1c53ce8cb6477b0f80b6f3 424932 
libpam-krb5_4.9.orig.tar.xz
 17be307d8a5f5d709c166ff23e5b2bc5667f2f6f99bec22359a54bc3feb4e191 26168 
libpam-krb5_4.9-1.debian.tar.xz
 5fdf1bb87c2f05ffff5fb6186a8423d017375dd130ba9ea148be8e5f702adace 62868 
libpam-heimdal-dbgsym_4.9-1_amd64.deb
 68c0fa48d90661f9b2f03ec083a66ab0eea088ba9a6e795d48e01c0eb4e484e4 88744 
libpam-heimdal_4.9-1_amd64.deb
 ecf3ca57e43eb29c64aeb4423e42ebbd1fd2fe91f8dda278f982d76b9bbdd1ca 61396 
libpam-krb5-dbgsym_4.9-1_amd64.deb
 058a516a4b9cbfb4a2daa39e2490453778bea0185a0cfde2bccba3a9ca2bf782 7612 
libpam-krb5_4.9-1_amd64.buildinfo
 996e477badc1f171ba81ff79e8ce5758b3479a084370ba12ba753810fc85e3de 91924 
libpam-krb5_4.9-1_amd64.deb
Files: 
 ea1ec32bbb04ccda253db3deb1c4c8fb 1806 admin optional libpam-krb5_4.9-1.dsc
 97d9375dd6d5a5847b37a578003bf2c6 424932 admin optional 
libpam-krb5_4.9.orig.tar.xz
 d09d5a8213e7babb225b521b1f7a455c 26168 admin optional 
libpam-krb5_4.9-1.debian.tar.xz
 3b6b921df12210450100c5d3b5d4a753 62868 debug optional 
libpam-heimdal-dbgsym_4.9-1_amd64.deb
 cfe86b0e4217adb2589cb30a5c0dbca6 88744 admin optional 
libpam-heimdal_4.9-1_amd64.deb
 1e29e290282925eeeae2b963d7f216c3 61396 debug optional 
libpam-krb5-dbgsym_4.9-1_amd64.deb
 9f6ca0ab67b27b3a296cb015d926cc4c 7612 admin optional 
libpam-krb5_4.9-1_amd64.buildinfo
 9c2454bd9eb301f9fdb6e046eb6d7c5b 91924 admin optional 
libpam-krb5_4.9-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQEzBAEBCAAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAl6CtSAACgkQfYAxXFc2
3nUtXggAvx9u0fksji5G6HaUEQ2LpDljBjjQfZSoulhvgfiUgkqKhwbBcsqJEZEw
LtxR9/sSRFyf3FMIn4IpI/kAOn8I4OCqhGbVuPPmFf43xAUVj4qgw+ScSOz4Ec1E
NXLNqdQRb4Qt7rrMbjWAToANii52sujxx5BikBH6axMTHTwH2s9Oewuq/OtHwNbR
TMcK2RyKs0rxlo15qJObtG/B6wLPJgDqDm8U8QWZ7ePrmyMXbFvX6N09wtFqMe2+
2ok+5BZr9+YScmI8LJ1ihtY28WmpPg+DV6EQhE1OC1oTmRLNM9NuoVlWYmE2fuAG
stWzwPKPrbdu4wnb253sr/5vIYih8w==
=Q4oQ
-----END PGP SIGNATURE-----

--- End Message ---