OBSOLETE Patch-ID# 109806-19

Download this patch from My Oracle Support

Your use of the firmware, software and any other materials contained in this update is subject to My Oracle Support Terms of Use, which may be viewed at My Oracle Support.
For further information on patching best practices and resources, please see the following links:
Copyright (c) 2012, Oracle and/or its affiliates. All rights reserved.

Keywords: security login kerberos pam.conf authentication pam_krb5.so.1 pointer
Synopsis: Obsoleted by: 112238-15 SunOS 5.8_x86: /usr/lib/security/pam_krb5.so.1 patch
Date: Dec/09/2008

Install Requirements: After installing this patch on an active boot environment, the system will be in a potentially inconsistent state until a reboot is performed. Unless
otherwise specified in the Special Install Instructions below, it is normally safe to apply further patches prior to initiating the reboot due to the relatively small footprint of the patch utilities. Normal operations must not be resumed until after the reboot is performed.
Use Single User Mode (run level S) when installing this patch on an active boot environment. An alternative may be specified in the Special Install Instructions.

Solaris Release: 8_x86

SunOS Release: 5.8_x86

Unbundled Product:

Unbundled Release:

Xref: This patch available for SPARC as patch 109805

Topic: SunOS 5.8_x86: /usr/lib/security/pam_krb5.so.1 patch
	NOTE:   Refer to Special Install Instructions section for
                IMPORTANT specific information on this patch.

Relevant Architectures: i386

Bugs fixed with this patch:

Sun CR # Bug #

Changes incorporated in this version: 6200894 6455225 6531864 6607813 6691206 6724557

Patches accumulated and obsoleted by this patch:

Patches which conflict with this patch:

Patches required with this patch: 109224-02 (or greater)

Obsoleted by: 112238-15

Files included with this patch:


Problem Description:

6200894 pam_krb5 shouldn't use seteuid and friends -- that's not MT-safe
6455225 pam_krb5 should overwrite cache with new credentials when handling pam_setcred
6531864 ktkt_warnd not warning after login
6607813 pam_krb5 setcred coredumps on successful refresh if auth not previously called
6691206 pam_krb5's store_cred should always store new credentials if previous auth pass successful
6724557 potential for memory leak in krb5_setcred's krb5_renew_tgt routine
(from 109806-18)
5014663 pam_krb5: auth prompts for password when principal does not exist
5025227 pam_krb5: auth returns PAM_AUTH_ERR in some cases instead of PAM_SYSTEM_ERR
6215066 kadm apps cannot bind to kadmind if admin_server specifies port #
6246405 Solaris 9 (not Sol 10) PAM stack will prompt for password twice with pam_unix & pam_krb5
6488352 non-kerberos user attempting to change passwd with pam_krb5.so.1 in pam.conf blanks passwd
(from 109806-17)
4865454 pam_krb5.so.1 doesn't seem to query more than 1 KDC before giving up using MIT
(from 109806-16)
4830044 pam_krb5 needs to be repository-aware
(from 109806-15)
4435001 missing krb5.conf file can allow anyone to log in
(from 109806-14)
4775197 bugfix 4630574 is incomplete
(from 109806-13)
4630574 pam_krb5 should not re-implement utility functions and use libpam utilities
(from 109806-12)
4526202 pam_krb5 auth can fail with multiple ftp sessions of same user
(from 109806-11)
4640156 error msg on console: PAM-KRB5 (account): no module data, pam_krb5 auth ...
(from 109806-10)
4508923 xscreensaver core dumps when it calls Sun's pam_krb5 module's pam_setcred
4699468 pam_krb5 password aging code should check KDCs password protocol
(from 109806-09)
4657596 passwd aging fix does not work for passwords greater than 8 characters
(from 109806-08)
4360141 kpasswd needs to be able to interface with MIT
(from 109806-07)
4457703 pam_krb5 doesn't do kerberos password aging
(from 109806-06)
4485174 dtsession hangs occasionally on wrong password (krb5 auth)
(from 109806-05)
4406541 krb5_err_cleanup() puts bad pointer in environ
4391549 pam_krb5 calls putenv() where is should use pam_putenv()
4499330 pam_krb5.so.1 fails to initialize credentials
(from 109806-04)
4360931 case conflict between DNS domain and kerberos principal name
(from 109806-03)
4373142 krb5 PAM module restricts password to 8 characters
(from 109806-02)
4351689 wrong login behavior with kerberos only login
(from 109806-01)
4330143 login doesn't work when using the kerberos module in pam.conf only

Patch Installation Instructions:
Please refer to the man pages for instructions on using 'patchadd'
and 'patchrm' scripts provided with Solaris.
The following example installs a patch to a standalone machine:
       example# patchadd /var/spool/patch/123456-07
The following example removes a patch from a standalone system:
       example# patchrm 123456-07
For additional examples please see the appropriate man pages. Any
other special or non-generic installation instructions should be
described below as special instructions.

Special Install Instructions:
NOTE 1:  Install the patch in single user mode and do a reconfiguration
         boot (boot -r) immediately after patch installation.
NOTE 2:  Client root principal instances are now always forced to
         lower-case on the krb5 client, regardless of case of DNS domain in
         /etc/resolv.conf.  Customers with root client principal instances
         containing upper-case chars (foo.Bar.COM in root/foo.Bar.COM@REALM)
         need to create new principals of all lower-case instances

README -- Last modified date: Friday, November 9, 2012