I found another small issue in auth.c In verify_creds krb5_kt_resolve can
be successful but krb5_kt_start_seq_get can fail so cursor_valid should stay
0 otherwise krb5_kt_end_seq_get crashes with free errors.
retval = krb5_kt_resolve(c, args->keytab, &keytab);
if (retval != 0) {
message = pamk5_compat_get_error(c, retval);
pamk5_error(args, "cannot open keytab %s: %s", args->keytab,
pamk5_compat_free_error(c, message);
keytab = NULL;
if (retval == 0) {
retval = krb5_kt_start_seq_get(c, keytab, &cursor);
==New=> if (retval == 0)
cursor_valid = 1;
if (cursor_valid)
krb5_kt_end_seq_get(c, keytab, &cursor);


BTW Merry Christmas

"Russ Allbery" wrote in message
> I'm pleased to announce release 3.9 of pam-krb5.
> pam-krb5 is a Kerberos v5 PAM module for either MIT Kerberos or Heimdal.
> It supports ticket refreshing by screen savers, configurable authorization
> handling, authentication of non-local accounts for network services,
> password changing, and password expiration, as well as all the standard
> expected PAM features. It works correctly with OpenSSH, even with
> ChallengeResponseAuthentication and PrivilegeSeparation enabled, and
> supports configuration either by PAM options or in krb5.conf or both.
> Changes from previous release:
> If use_authtok is set, fail even if we can retrieve the stored PAM
> password if that password is set to NULL. Apparently that can happen
> in some cases, such as with pam_cracklib. Thanks to Christian Holler
> for the diagnosis and a patch.
> Add a new clear_on_fail option for the password group. If set, when a
> password change fails, set PAM_AUTHTOK to NULL so that subsequent
> modules in the PAM stack with use_authtok set will also fail. Just
> returning failure doesn't abort the stack on the second pass when
> actual password changes are made. This is not the default since it
> interferes with other desirable PAM configurations. It's useful
> primarily when using the PAM stack to synchronize passwords between
> multiple environments. Thanks to Christian Holler and Tomas Mraz for
> the analysis.
> Fix portability issues with Heimdal, versions of PAM that don't
> provide pam_modutil_getpwnam, and compiler warnings when building
> PKINIT support. Thanks, Martin von Gagern.
> Fix parsing of the keytab PAM option. Thanks, Markus Moeller.
> Return PAM_AUTHINFO_UNAVAIL instead of PAM_AUTH_ERR when unable to
> resolve the Kerberos realm. Thanks, Frank Cornelissen.
> Add a new debugging section to the README.
> You can download it from:
> Debian packages have been uploaded to Debian unstable.
> Please let me know of any problems or feature requests not already listed
> in the TODO file.
> --
> Russ Allbery (
> ________________________________________________
> Kerberos mailing list