From feece80b0f52ebe883d8e211cfe8faa93bd991f7 Mon Sep 17 00:00:00 2001 From: Ondrej Kos Date: Wed, 17 Jul 2013 13:42:57 +0200 Subject: KRB: Handle empty password gracefully https://fedorahosted.org/sssd/ticket/1814 Return authentication error when empty password is passed. --- src/providers/krb5/krb5_auth.c | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'src') diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 22495f57..4c2fe0f2 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -495,6 +495,17 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx, case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK: if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) { + /* handle empty password gracefully */ + if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_EMPTY) { + DEBUG(SSSDBG_CRIT_FAILURE, + ("Illegal zero-length authtok for user [%s]\n", + pd->user)); + state->pam_status = PAM_AUTH_ERR; + state->dp_err = DP_ERR_OK; + ret = EOK; + goto done; + } + DEBUG(SSSDBG_CRIT_FAILURE, ("Wrong authtok type for user [%s]. " \ "Expected [%d], got [%d]\n", pd->user, -- cgit