Fix security hole when Kerberos credential caching is enabled

The prior PAM stack configuration, while unfortunately present in many online examples, allows storing of an arbitrary cached password for non-Kerberos users by simply entering it twice
author: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2014-06-07 17:47:33 -0500
committer: Timothy Pearson <kb9vqf@pearsoncomputing.net> 2014-06-07 17:47:33 -0500
commit: bea400f197c7b63eb265abad2647849248cfffd8 (patch)
tree: 0680894d4529c602437a9e08c1c7ad1168773867
parent: 93ce320477ee490923496d46a1d264c83acaac08 (diff)
download: libtdeldap-bea400f1.tar.gz
libtdeldap-bea400f1.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 5309ecb..d051ad2 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -4087,7 +4087,7 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 		stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
 		stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
 		if (pamConfig.enable_cached_credentials) {
-			stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n";
+			stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
 			stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
 		}
 		stream << "auth required pam_deny.so" << "\n";
author	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2014-06-07 17:47:33 -0500
committer	Timothy Pearson <kb9vqf@pearsoncomputing.net>	2014-06-07 17:47:33 -0500
commit	bea400f197c7b63eb265abad2647849248cfffd8 (patch)
tree	0680894d4529c602437a9e08c1c7ad1168773867
parent	93ce320477ee490923496d46a1d264c83acaac08 (diff)
download	libtdeldap-bea400f1.tar.gz libtdeldap-bea400f1.zip