summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTimothy Pearson <kb9vqf@pearsoncomputing.net>2014-06-07 17:47:33 -0500
committerTimothy Pearson <kb9vqf@pearsoncomputing.net>2014-06-07 17:47:33 -0500
commitbea400f197c7b63eb265abad2647849248cfffd8 (patch)
tree0680894d4529c602437a9e08c1c7ad1168773867 /src
parent93ce320477ee490923496d46a1d264c83acaac08 (diff)
downloadlibtdeldap-bea400f197c7b63eb265abad2647849248cfffd8.tar.gz
libtdeldap-bea400f197c7b63eb265abad2647849248cfffd8.zip
Fix security hole when Kerberos credential caching is enabled
The prior PAM stack configuration, while unfortunately present in many online examples, allows storing of an arbitrary cached password for non-Kerberos users by simply entering it twice
Diffstat (limited to 'src')
-rw-r--r--src/libtdeldap.cpp2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 5309ecb..d051ad2 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -4087,7 +4087,7 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
if (pamConfig.enable_cached_credentials) {
- stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n";
+ stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
}
stream << "auth required pam_deny.so" << "\n";