Security Bugs
Unlocking CDE Screenlock Removes Kerberos Version 5 Credentials (4674474)
If you unlock a locked CDE session, all your cached Kerberos version 5 (krb5) credentials might be removed. The result is you might not be able to access various system utilities. This problem occurs under the following conditions:
-
In the /etc/pam.conf file, the dtsession services for your system are configured to use the krb5 module by default.
-
You lock your CDE session, and then try to unlock the session.
If this problem occurs, the following error message is displayed:
lock screen: PAM-KRB5 (auth): Error verifying TGT with host/host-name: Permission denied in replay cache code |
Workaround: Add the following non-pam_krb5 dtsession entries to the /etc/pam.conf file:
dtsession auth requisite pam_authtok_get.so.1 dtsession auth required pam_unix_auth.so.1 |
With these entries in the /etc/pam.conf file, the pam_krb5 module does not run by default.
cron, at, and batch Cannot Schedule Jobs for Locked Accounts (4622431)
In the Solaris 9 8/03 operating environment, locked accounts are treated in the same way as expired or nonexistent accounts. As a result, the cron, at, and batch utilities cannot schedule jobs on locked accounts.
Workaround: To enable locked accounts to accept cron, at, or batch jobs, replace the password field of a locked account (*LK*) with the string NP, for no password.
- © 2010, Oracle Corporation and/or its affiliates