pam_krb5 should use syslog with facility LOG_AUTH

Er, Debian sid most certainly has not moved to Heimdal for libpam-krb5. What made you think that we had?

I wish you'd sent me this patch instead of just filing it into the Ubuntu bug tracking system, since I don't get copies of the bugs filed here. If you had, it would have made it into 3.11; now it will have to wait for 3.12.

Surely this should be LOG_AUTHPRIV and not LOG_AUTH, no?

I can't find now what made me think Debian had gone to Heimdal. Yes, it should be LOG_AUTHPRIV and not LOG_AUTH, and on further inspection it looks like this is needed in sid too, which I remember not being the case when I looked last.

Mark Painter <email address hidden> writes:

> I can't find now what made me think Debian had gone to Heimdal. Yes, it
> should be LOG_AUTHPRIV and not LOG_AUTH, and on further inspection it
> looks like this is needed in sid too, which I remember not being the
> case when I looked last.

Yup, agreed. It's needed everywhere.

--
Russ Allbery (<email address hidden>) <http://www.eyrie.org/~eagle/>

This bug was fixed in the package libpam-krb5 - 3.13-2ubuntu1

---------------
libpam-krb5 (3.13-2ubuntu1) jaunty; urgency=low

  * Merge from Debian unstable, remaining changes:
    - debian/{pam-auth-update,postinst,prerm}, debian/rules, debian/dirs:
      enable pam_krb5 by default using the new pam-auth-update support.
    - debian/control: depend on libpam-runtime (>= 1.0.1-6) for the
      above.
  * Logging is now done with the LOG_AUTHPRIV facility. LP: #227531.

libpam-krb5 (3.13-2) unstable; urgency=low

  * Upload to unstable.

libpam-krb5 (3.13-1) experimental; urgency=high

  * New upstream release.
    - SECURITY (CVE-2009-0360): If invoked in a setuid context, ignore
      user environment variables that specify the local keytab and
      Kerberos configuration. Protects against a privilege escalation
      vulnerability.
    - SECURITY (CVE-2009-0361): Protect against applications calling
      pam_setcred with PAM_REINITIALIZE_CREDS as root in a setuid
      context. This API call is designed to reinitialize an existing
      Kerberos ticket cache and therefore trusts the KRB5CCNAME
      environment variable, but in a setuid context, this may allow
      overwriting arbitrary files.
  * Install the upstream NEWS file as an upstream changelog.
  * Add ${misc:Depends} to the package dependencies.
  * Improve wording for the GPL pointer. The package may be distributed
    under any version of the GPL.

libpam-krb5 (3.12-1) experimental; urgency=low

  * New upstream release.
    - New alt_auth_map, force_alt_auth, and only_alt_auth options to map
      usernames to alternative Kerberos principals for authentication.
    - Log to authpriv, not auth.
    - Correctly log an exit status of ignore during debugging.
    - Document ssh session requirement. (Closes: #492039)
    - Document ignore handling with [] actions. (Closes: #492379)
  * Update to debhelper compatibility mode V7.
    - Use debhelper rule minimization except for configure.
    - Let the upstream Makefile do the installation.
  * Remove NEWS.Debian, only of interest in upgrades from sarge.

 -- Steve Langasek <email address hidden> Wed, 04 Mar 2009 02:54:58 +0000

Hardy has seen the end of its life and is no longer receiving any updates. Marking the Hardy task for this ticket as "Won't Fix".