Patch-ID# 109806-17 Keywords: security login kerberos pam.conf authentication pam_krb5.so.1 pointer Synopsis: SunOS 5.8_x86: /usr/lib/security/pam_krb5.so.1 patch Date: Jan/27/2004 Install Requirements: None Solaris Release: 8_x86 SunOS Release: 5.8_x86 Unbundled Product: Unbundled Release: Xref: This patch available for SPARC as patch 109805 Topic: SunOS 5.8_x86: /usr/lib/security/pam_krb5.so.1 patch NOTE: Refer to Special Install Instructions section for IMPORTANT specific information on this patch. Relevant Architectures: i386 BugId's fixed with this patch: 4330143 4351689 4360141 4360931 4373142 4391549 4406541 4435001 4457703 4485174 4499330 4508923 4526202 4630574 4640156 4657596 4699468 4775197 4830044 4865454 Changes incorporated in this version: 4865454 Patches accumulated and obsoleted by this patch: Patches which conflict with this patch: Patches required with this patch: 109224-02 or greater Obsoleted by: Files included with this patch: /usr/bin/kinit /usr/lib/security/pam_krb5.so.1 Problem Description: 4865454 pam_krb5.so.1 doesn't seem to query more than 1 KDC before giving up using MIT (from 109806-16) 4830044 pam_krb5 needs to be repository aware (from 109806-15) 4435001 Missing krb5.conf file can allow anyone to log in. (from 109806-14) 4775197 fix for bug 4630574 is incomplete (from 109806-13) 4630574 pam_krb5 should not reimplement utility functions and use libpam utilities (from 109806-12) 4526202 pam_krb5 auth can fail with multiple ftp sessions of same user (from 109806-11) 4640156 error msg on console: PAM-KRB5 (account): no module data, pam_krb5 auth ... (from 109806-10) 4508923 xscreensaver core dumps when it calls Sun's pam_krb5 module's pam_setcred 4699468 pam_krb5 password aging code should check KDCs password protocol (from 109806-09) 4657596 passwd aging fix does not work for passwords greater than 8 characters. (from 109806-08) 4360141 kpasswd needs to be able to interface with MIT (from 109806-07) 4457703 pam_krb5 doesn't do kerberos password aging (from 109806-06) 4485174 dtsession hangs occasionally on wrong password (krb5 auth) (from 109806-05) 4406541 krb5_err_cleanup() puts bad pointer in environ 4391549 pam_krb5 calls putenv() where is should use pam_putenv() 4499330 pam_krb5.so.1 fails to initialize credentials (from 109806-04) 4360931 case conflict between dns domain and kerberos principal name (from 109806-03) 4373142 krb5 PAM module restricts password to 8 characters (from 109806-02) 4351689 wrong login behavior with kerberos only login (from 109806-01) 4330143 login doesn't work when using the kerberos module in pam.conf only Patch Installation Instructions: -------------------------------- For Solaris 2.0-2.6 releases, refer to the Install.info file and/or the README within the patch for instructions on using the generic 'installpatch' and 'backoutpatch' scripts provided with each patch. For Solaris 7-9 releases, refer to the man pages for instructions on using 'patchadd' and 'patchrm' scripts provided with Solaris. Any other special or non-generic installation instructions should be described below as special instructions. The following example installs a patch to a standalone machine: example# patchadd /var/spool/patch/104945-02 The following example removes a patch from a standalone system: example# patchrm 104945-02 For additional examples please see the appropriate man pages. Special Install Instructions: ----------------------------- Client root principal instances are now always forced to lower-case on the krb5 client, regardless of case of DNS domain in /etc/resolv.conf. Customers with root client principal instances containing upper-case chars (foo.Bar.COM in root/foo.Bar.COM@REALM) need to create new principals of all lower-case instances (root/foo.bar.com@REALM). README -- Last modified date: Tuesday, January 27, 2004