Issued:
2011-12-06
Updated:
2011-12-06

RHBA-2011:1704 - pam_krb5 bug fix update

Synopsis

pam_krb5 bug fix update

Type/Severity

Bug Fix Advisory (none)

Topic

An updated pam_krb5 package that fixes various bugs is now available for Red Hat Enterprise Linux 6.

Description

The pam_krb5 package allows PAM-aware applications to check user passwords with the help of a Kerberos KDC.

This updated pam_krb5 package includes fixes for the following bugs:

  • When a client logged into a remote host using SSH with GSSAPI authentication, configured to re-delegate credentials when the client obtains fresh credentials, pam_krb5 created a new credential cache on the remote host in addition to the cache created by SSH. Consequently, the credential cache that pam_krb5 had created for the user's session would not be updated when they were renewed on the client. This update prevents pam_krb5 from creating its own cache in the scenario described, so the credential delegation mechanism is not interfered with. (BZ#690832)

  • Prior to this update, when a client attempted to perform a password change after using a non-password-based pre-authentication mechanism (such as a Smart Card), the pam_krb5 module would unnecessarily prompt for the user's PIN (twice). This update corrects this bug. (BZ#700520)

  • When a client, using SSH, logged into a remote host using the PasswordAuthentication mechanism, two credential caches would be created for the user on the remote host, but only one of them would be removed when the user logged out. This update no longer creates the second, redundant cache. (BZ#720609, BZ#722489, BZ#733803)

All users of pam_krb5 are advised to upgrade to this updated package, which fixes these bugs.

Solution

Before applying this update, make sure all previously-released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at This content is not included.https://access.redhat.com/kb/docs/DOC-11259

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Scientific Computing6x86_64
Red Hat Enterprise Linux for Power, big endian6ppc64
Red Hat Enterprise Linux for IBM z Systems6s390x
Red Hat Enterprise Linux Workstation6x86_64
Red Hat Enterprise Linux Workstation6i386
Red Hat Enterprise Linux Server6x86_64
Red Hat Enterprise Linux Server6i386
Red Hat Enterprise Linux Server from RHUI6x86_64
Red Hat Enterprise Linux Server from RHUI6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems)6s390x
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems)6s390x
Red Hat Enterprise Linux Desktop6x86_64
Red Hat Enterprise Linux Desktop6i386

Updated Packages

  • pam_krb5-2.3.11-9.el6.ppc.rpm
  • pam_krb5-2.3.11-9.el6.src.rpm
  • pam_krb5-debuginfo-2.3.11-9.el6.ppc.rpm
  • pam_krb5-debuginfo-2.3.11-9.el6.s390.rpm
  • pam_krb5-2.3.11-9.el6.ppc64.rpm
  • pam_krb5-2.3.11-9.el6.x86_64.rpm
  • pam_krb5-debuginfo-2.3.11-9.el6.s390x.rpm
  • pam_krb5-2.3.11-9.el6.s390.rpm
  • pam_krb5-debuginfo-2.3.11-9.el6.x86_64.rpm
  • pam_krb5-2.3.11-9.el6.s390x.rpm
  • pam_krb5-debuginfo-2.3.11-9.el6.i686.rpm
  • pam_krb5-2.3.11-9.el6.i686.rpm
  • pam_krb5-debuginfo-2.3.11-9.el6.ppc64.rpm

Fixes

CVEs

(none)

References

(none)

Additional information