--------------------------------------------------------------------- Fedora Update Notification FEDORA-2003-024 2003-11-25 ---------------------------------------------------------------------
Name : pam_krb5 Version : 2.0.5 Release : 1 Summary : A Pluggable Authentication Module for Kerberos 5. Description : This is pam_krb5, a pluggable authentication module that can be used with Linux-PAM and Kerberos 5. This module supports password checking, ticket creation, and optional TGT verification and conversion to Kerberos IV tickets. The included pam_krb5afs module also gets AFS tokens if so configured.
--------------------------------------------------------------------- Update Information:
The version of pam_krb5 included in Fedora Core 1 did not honor the ticket_lifetime setting in /etc/krb5.conf's [appdefaults] section, in the "pam" subsection. The default renewable lifetime set in this configuration file is 10 hours. The default ticket lifetime used in libkrb5 is 24 hours.
When answering a request for initial credentials which specifies these lifetimes, some KDC implementations will reply with initial credentials with a renewable lifetime increased to match the ticket lifetime. This modification to the response is treated as an error by libkrb5, and authentication fails when it would otherwise succeed.
The updated version of pam_krb5 now honors the ticket_lifetime setting, and the configured default ticket lifetime (10 hours) does not trigger this error condition.
--------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/1/
SRPMS/pam_krb5-2.0.5-1.src.rpm md5 sum: ac92e1a6607ac0c7298088d6f561b107 i386/pam_krb5-2.0.5-1.i386.rpm md5 sum: 4c74720189780c9a946d8d5ba1c3a64f i386/debug/pam_krb5-debuginfo-2.0.5-1.i386.rpm md5 sum: 2f2722b9bf5475589fd09f1891f7af7b
This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. ---------------------------------------------------------------------
[Replying to myself, because the current form doesn't list bug IDs, and the RPM changelog didn't because it's in the docdir ChangeLog.]
On Tue, Nov 25, 2003 at 07:36:09PM -0500, Nalin Dahyabhai wrote:
The version of pam_krb5 included in Fedora Core 1 did not honor the ticket_lifetime setting in /etc/krb5.conf's [appdefaults] section, in the "pam" subsection. The default renewable lifetime set in this configuration file is 10 hours. The default ticket lifetime used in libkrb5 is 24 hours.
When answering a request for initial credentials which specifies these lifetimes, some KDC implementations will reply with initial credentials with a renewable lifetime increased to match the ticket lifetime. This modification to the response is treated as an error by libkrb5, and authentication fails when it would otherwise succeed.
Some discussion for interested parties: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=109331
Cheers,
Nalin
On Tue, 25 Nov 2003 19:36:09 -0500, Nalin Dahyabhai wrote:
Fedora Update Notification
Shouldn't that be "Fedora Test Update Notification"?
With all these inconsistencies in message subject and body, it gets a bit troublesome to keep the local filtering up-to-date. First I've tried to adapt to the changing subject line. Now the message body keeps changing to. The regexp is getting longer.
--
On Wed, Nov 26, 2003 at 04:09:24PM +0100, Michael Schwendt wrote:
On Tue, 25 Nov 2003 19:36:09 -0500, Nalin Dahyabhai wrote:
Fedora Update Notification
Shouldn't that be "Fedora Test Update Notification"?
With all these inconsistencies in message subject and body, it gets a bit troublesome to keep the local filtering up-to-date.
So far I resorted to filtering over a message header. If it is "To: fedora-test-list...." then this is "Fedora Test ...." and URLs will have "testing" in them even if a posting itself says otherwise. For a time beeing it works. :-)
Michal
On Wed, Nov 26, 2003 at 04:09:24PM +0100, Michael Schwendt wrote:
On Tue, 25 Nov 2003 19:36:09 -0500, Nalin Dahyabhai wrote:
Fedora Update Notification
Shouldn't that be "Fedora Test Update Notification"?
Yeah. The message is generated by a script, but its output currently needs to be modified for tests, and I missed that spot.
Nalin