diff options
author | Sumit Bose <sbose@redhat.com> | 2009-10-02 13:50:20 +0200 |
---|---|---|
committer | Simo Sorce <ssorce@redhat.com> | 2009-10-05 17:02:15 -0400 |
commit | 92a4271863fde41c282c698b444d6953633abcd1 (patch) | |
tree | 1c76987cf35f2a8a0d0a80031f523080efde0a12 /server | |
parent | eeb6dc03fef2c3408a7909d0369d578869c3fd19 (diff) | |
download | sssd-92a4271863fde41c282c698b444d6953633abcd1.tar.gz sssd-92a4271863fde41c282c698b444d6953633abcd1.tar.bz2 sssd-92a4271863fde41c282c698b444d6953633abcd1.zip |
handle expired password during authentication
Diffstat (limited to 'server')
-rw-r--r-- | server/providers/krb5/krb5_child.c | 27 |
1 files changed, 25 insertions, 2 deletions
diff --git a/server/providers/krb5/krb5_child.c b/server/providers/krb5/krb5_child.c index 6f698400..7649406f 100644 --- a/server/providers/krb5/krb5_child.c +++ b/server/providers/krb5/krb5_child.c @@ -359,14 +359,37 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) } kerr = get_and_save_tgt(kr, pass_str); + + /* If the password is expired the KDC will always return + KRB5KDC_ERR_KEY_EXP regardless if the supplied password is correct or + not. In general the password can still be used to get a changepw ticket. + So we validate the password by trying to get a changepw ticket. */ + if (kerr == KRB5KDC_ERR_KEY_EXP) { + kerr = krb5_get_init_creds_password(kr->ctx, kr->creds, kr->princ, + pass_str, NULL, NULL, 0, + kr->krb5_ctx->changepw_principle, + kr->options); + krb5_free_cred_contents(kr->ctx, kr->creds); + if (kerr == 0) { + kerr = KRB5KDC_ERR_KEY_EXP; + } + } + memset(pass_str, 0, kr->pd->authtok_size); talloc_zfree(pass_str); memset(kr->pd->authtok, 0, kr->pd->authtok_size); if (kerr != 0) { KRB5_DEBUG(1, kerr); - if (kerr == KRB5_KDC_UNREACH) { - pam_status = PAM_AUTHINFO_UNAVAIL; + switch (kerr) { + case KRB5_KDC_UNREACH: + pam_status = PAM_AUTHINFO_UNAVAIL; + break; + case KRB5KDC_ERR_KEY_EXP: + pam_status = PAM_AUTHTOK_EXPIRED; + break; + default: + pam_status = PAM_SYSTEM_ERR; } } |