I received a Debian bug report from Russ Albery on Courier's authlib.
Maybe someone can shed a light on this, as I have very little understanding
of PAM internals and authlib.
Note that I don't use Courier myself. I found this bug while
investigating a problem reported against libpam-krb5.
authpam.c makes for rather surreal reading. There's a large comment
that explains a complex and thorough philosophy for how the PAM code
is supposed to work, but then all the code that implements that is
removed with #if 0 and the actual code does something much simpler.
Unfortunately, while the comment and the other code was written by
someone who understands PAM library issues and complexity, the code
that's actually run never calls pam_end. This means that any external
resources allocated by the PAM module, such as the Kerberos ticket
cache created by pam-krb5, are never released.
The #if 0 code does the right thing, but as long as the code works the
way it does now, a call to:
needs to be inserted after the call to dopam() in the p == 0 block.