php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59250 Module does not work with latest pam_krb5 from CentOS 5.5 update
Submitted: 2010-06-02 14:04 UTC Modified: 2010-06-02 15:37 UTC
From: wesley at bu dot edu Assigned:
Status: Closed Package: PAM (PECL)
PHP Version: 5.1.6 OS: CentOS 5.5
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: wesley at bu dot edu
New email:
PHP Version: OS:

 

 [2010-06-02 14:04 UTC] wesley at bu dot edu
Description:
------------
I realize you do not maintain this module against specific distro pkgs but any RHEL or CentOS 5.5 users (and maybe even some Fedora users) will not be able to run php-PAM with the latest updates.

A recent update to pam_krb5 in CentOS 5.5 causes php-PAM module to fail to authenticate users.  update version is pam_krb5-2.2.14-15.  Changelog entries from this pkg are: 

* Mon Dec 14 2009 Nalin Dahyabhai <nalin@redhat.com> 2.2.14-15
- update backport for selecting which key to use for validation so that it prefers services with the local host name as the instance, from HEAD (more of #450776)

* Fri Dec 11 2009 Nalin Dahyabhai <nalin@redhat.com> 2.2.14-14
- backport the "multiple_ccaches" option from HEAD, requiring that it be enabled to not immediately remove an old ccache when asked to create a new one (#463417)

* Fri Dec 11 2009 Nalin Dahyabhai <nalin@redhat.com> 2.2.14-13
- add patch to add the "chpw_prompt" option, to allow the older behavior of attempting a password-change during authentication if libkrb5 detects an expired password, based on patch from Olivier Fourdan (#509092)

* Mon Jun 15 2009 Nalin Dahyabhai <nalin@redhat.com> 2.2.14-12
- don't vary the password prompt depending on whether or not the user exists or is known to the KDC (CVE-2009-1384, #505265)
- prefer using the "host" service when verifying that a TGT isn't forged, from HEAD (#450776)

* Fri Mar 27 2009 Nalin Dahyabhai <nalin@redhat.com> 2.2.14-11
- don't enforce minimum_uid when no_user_check is also used, from HEAD (#490404)
- don't try to get password-changing creds with all of the flags set that we'd request for a TGT (#489015)


Expected result:
----------------
httpd: pam_krb5[5892]: authentication succeeds for 'user'

Actual result:
--------------
httpd: pam_krb5[5624]: authentication fails for 'user': Authentication failure (Cannot read password)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-06-02 14:29 UTC] mikael at embargo dot se
I'm sorry but I don't have any Kerberos enabled environment in which to debug or fix this problem, however if you would submit a patch I would be happy to apply it.
 [2010-06-02 15:37 UTC] wesley at bu dot edu
Did a bit of debugging in PAM and found that adding "no_initial_prompt" as an argument to the pam_krb5.so call in the php pam config file fixed the issue.  My guess is a recent change in pam_krb5 causes the passwd to be supplied incorrectly, but this arg tells pam_krb5 to not request until and if needed to auth.  So if anyone else has similar problems you can let them know about this fix.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Nov 25 03:01:23 2020 UTC