summaryrefslogtreecommitdiff
path: root/src/providers/krb5
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2011-04-28 13:51:26 -0400
committerStephen Gallagher <sgallagh@redhat.com>2011-04-29 11:41:09 -0400
commitfffdae81651b460f3d2c119c56d5caa09b4de42a (patch)
tree0fb28d3a93f6071bea7fb743b08074c15cc795ab /src/providers/krb5
parent5f0838ccee6c27e784cc9ac80b2dc153769fbe10 (diff)
downloadsssd-fffdae81651b460f3d2c119c56d5caa09b4de42a.tar.gz
sssd-fffdae81651b460f3d2c119c56d5caa09b4de42a.tar.bz2
sssd-fffdae81651b460f3d2c119c56d5caa09b4de42a.zip
Fix bad password caching when using automatic TGT renewal
Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856
Diffstat (limited to 'src/providers/krb5')
-rw-r--r--src/providers/krb5/krb5_auth.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 55a06a51..c4d108fe 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -992,8 +992,13 @@ static void krb5_save_ccname_done(struct tevent_req *req)
state->dp_err = DP_ERR_OK;
switch(pd->cmd) {
- case SSS_PAM_AUTHENTICATE:
case SSS_CMD_RENEW:
+ /* The authtok is set to the credential cache
+ * during renewal. We don't want to save this
+ * as the cached password.
+ */
+ break;
+ case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK_PRELIM:
password = talloc_size(state, pd->authtok_size + 1);
if (password != NULL) {
@@ -1013,8 +1018,11 @@ static void krb5_save_ccname_done(struct tevent_req *req)
}
if (password == NULL) {
- DEBUG(0, ("password not available, offline auth may not work.\n"));
- ret = EOK; /* password caching failures are not fatal errors */
+ if (pd->cmd != SSS_CMD_RENEW) {
+ DEBUG(0, ("password not available, offline auth may not work.\n"));
+ /* password caching failures are not fatal errors */
+ }
+ ret = EOK;
goto done;
}
@@ -1026,6 +1034,7 @@ static void krb5_save_ccname_done(struct tevent_req *req)
if (ret) {
DEBUG(2, ("Failed to cache password, offline auth may not work."
" (%d)[%s]!?\n", ret, strerror(ret)));
+ /* password caching failures are not fatal errors */
}
}