From bea400f197c7b63eb265abad2647849248cfffd8 Mon Sep 17 00:00:00 2001
From: Timothy Pearson <kb9vqf@pearsoncomputing.net>
Date: Sat, 7 Jun 2014 17:47:33 -0500
Subject: [PATCH] Fix security hole when Kerberos credential caching is enabled
 The prior PAM stack configuration, while unfortunately present in many online
 examples, allows storing of an arbitrary cached password for non-Kerberos
 users by simply entering it twice

---
 src/libtdeldap.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/libtdeldap.cpp b/src/libtdeldap.cpp
index 5309ecb..d051ad2 100644
--- a/src/libtdeldap.cpp
+++ b/src/libtdeldap.cpp
@@ -4087,7 +4087,7 @@ int LDAPManager::writePAMFiles(LDAPPamConfig pamConfig, TQString *errstr) {
 		stream << "auth sufficient pam_unix.so nullok try_first_pass" << "\n";
 		stream << "auth [default=ignore success=1 service_err=reset] pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass" << "\n";
 		if (pamConfig.enable_cached_credentials) {
-			stream << "auth [default=bad success=ok] pam_ccreds.so action=validate use_first_pass" << "\n";
+			stream << "auth [default=die success=done] pam_ccreds.so action=validate use_first_pass" << "\n";
 			stream << "auth sufficient pam_ccreds.so action=store use_first_pass" << "\n";
 		}
 		stream << "auth required pam_deny.so" << "\n";