summaryrefslogtreecommitdiff
path: root/server
diff options
context:
space:
mode:
authorSumit Bose <sbose@redhat.com>2009-10-02 13:50:20 +0200
committerSimo Sorce <ssorce@redhat.com>2009-10-05 17:02:15 -0400
commit92a4271863fde41c282c698b444d6953633abcd1 (patch)
tree1c76987cf35f2a8a0d0a80031f523080efde0a12 /server
parenteeb6dc03fef2c3408a7909d0369d578869c3fd19 (diff)
downloadsssd-92a4271863fde41c282c698b444d6953633abcd1.tar.gz
sssd-92a4271863fde41c282c698b444d6953633abcd1.tar.bz2
sssd-92a4271863fde41c282c698b444d6953633abcd1.zip
handle expired password during authentication
Diffstat (limited to 'server')
-rw-r--r--server/providers/krb5/krb5_child.c27
1 files changed, 25 insertions, 2 deletions
diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c
index 6f698400..7649406f 100644
--- a/server/providers/krb5/krb5_child.c
+++ b/server/providers/krb5/krb5_child.c
@@ -359,14 +359,37 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
}
kerr = get_and_save_tgt(kr, pass_str);
+
+ /* If the password is expired the KDC will always return
+ KRB5KDC_ERR_KEY_EXP regardless if the supplied password is correct or
+ not. In general the password can still be used to get a changepw ticket.
+ So we validate the password by trying to get a changepw ticket. */
+ if (kerr == KRB5KDC_ERR_KEY_EXP) {
+ kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ,
+ pass_str, NULL, NULL, 0,
+ kr->krb5_ctx->changepw_principle,
+ kr->options);
+ krb5_free_cred_contents(kr->ctx, kr->creds);
+ if (kerr == 0) {
+ kerr = KRB5KDC_ERR_KEY_EXP;
+ }
+ }
+
memset(pass_str, 0, kr->pd->authtok_size);
talloc_zfree(pass_str);
memset(kr->pd->authtok, 0, kr->pd->authtok_size);
if (kerr != 0) {
KRB5_DEBUG(1, kerr);
- if (kerr == KRB5_KDC_UNREACH) {
- pam_status = PAM_AUTHINFO_UNAVAIL;
+ switch (kerr) {
+ case KRB5_KDC_UNREACH:
+ pam_status = PAM_AUTHINFO_UNAVAIL;
+ break;
+ case KRB5KDC_ERR_KEY_EXP:
+ pam_status = PAM_AUTHTOK_EXPIRED;
+ break;
+ default:
+ pam_status = PAM_SYSTEM_ERR;
}
}