Bug 457179 - kerberos credental caches no longer reset correctly on screen unlock
Summary: kerberos credental caches no longer reset correctly on screen unlock
Status: RESOLVED FIXED
Alias: None
Product: kscreenlocker
Classification: Plasma
Component: greeter (show other bugs)
Version: 5.25.1
Platform: Arch Linux Linux
: NOR normal
Target Milestone: ---
Assignee: Plasma Bugs List
URL:
Keywords: regression
Depends on:
Blocks:
 
Reported: 2022-07-27 01:06 UTC by Mark Davies
Modified: 2022-09-06 14:56 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In: 5.26
Sentry Crash Report:


Attachments
fix for not calling pam_setcred() (500 bytes, patch)
2022-07-27 01:06 UTC, Mark Davies
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Davies 2022-07-27 01:06:02 UTC
Created attachment 150934 [details]
fix for not calling pam_setcred()

SUMMARY

Since kscreenlocker_greet did the PAM handling internally rather than calling kcheckpass the kerberos credential cache no longer gets reset correctly on unlock.


STEPS TO REPRODUCE
1.  Use kerberos for authentication
2.  lock and unlock the screen

OBSERVED RESULT

/tmp/krb5cc_<uid>_<random> is not touched
/tmp/krb5cc_pam_<random> appears

EXPECTED RESULT

/tmp/krb5cc_<uid>_<random>  is replaced by contents of /tmp/krb5cc_pam_<random>

ADDITIONAL INFORMATION

kcheckpass called pam_setcred() on successful authentication, but kscreenlocker_greet does not.

patch to fix is attached.
Comment 1 Nate Graham 2022-07-27 20:32:03 UTC
Thanks for the patch! Can you please submit it at https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/?
Comment 2 Bug Janitor Service 2022-09-03 20:29:56 UTC
A possibly relevant merge request was started @ https://invent.kde.org/plasma/kscreenlocker/-/merge_requests/95
Comment 3 Nate Graham 2022-09-06 14:54:23 UTC
Git commit c5d4169898535ed2fdea6f89f207f7f44e63b850 by Nate Graham, on behalf of Mattias Jernberg.
Committed on 06/09/2022 at 14:51.
Pushed by ngraham into branch 'master'.

Refresh pam credentials when authenticating

This is necessary to make pam_krb5 update your kerberos credential
cache.

M  +2    -0    greeter/pamauthenticator.cpp

https://invent.kde.org/plasma/kscreenlocker/commit/c5d4169898535ed2fdea6f89f207f7f44e63b850