Fix bad password caching when using automatic TGT renewal

Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856

1 files changed, 12 insertions, 3 deletions

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 55a06a51..c4d108fe 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -992,8 +992,13 @@ static void krb5_save_ccname_done(struct tevent_req *req)
         state->dp_err = DP_ERR_OK;
 
         switch(pd->cmd) {
-            case SSS_PAM_AUTHENTICATE:
             case SSS_CMD_RENEW:
+                /* The authtok is set to the credential cache
+                 * during renewal. We don't want to save this
+                 * as the cached password.
+                 */
+                break;
+            case SSS_PAM_AUTHENTICATE:
             case SSS_PAM_CHAUTHTOK_PRELIM:
                 password = talloc_size(state, pd->authtok_size + 1);
                 if (password != NULL) {
@@ -1013,8 +1018,11 @@ static void krb5_save_ccname_done(struct tevent_req *req)
         }
 
         if (password == NULL) {
-            DEBUG(0, ("password not available, offline auth may not work.\n"));
-            ret = EOK; /* password caching failures are not fatal errors */
+            if (pd->cmd != SSS_CMD_RENEW) {
+                DEBUG(0, ("password not available, offline auth may not work.\n"));
+                /* password caching failures are not fatal errors */
+            }
+            ret = EOK;
             goto done;
         }
 
@@ -1026,6 +1034,7 @@ static void krb5_save_ccname_done(struct tevent_req *req)
         if (ret) {
             DEBUG(2, ("Failed to cache password, offline auth may not work."
                       " (%d)[%s]!?\n", ret, strerror(ret)));
+            /* password caching failures are not fatal errors */
         }
     }