diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2011-04-28 13:51:26 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2011-04-29 11:41:55 -0400 |
commit | da03c0178fb9efb545372557cb0e02ebfdd8e05b (patch) | |
tree | 4332e3ebd12f08acf32bcf81adedb552379e90a4 /src/providers/krb5/krb5_auth.c | |
parent | 1a047efd69a1e457e466e79b4244dd9ac2e671f1 (diff) | |
download | sssd-da03c0178fb9efb545372557cb0e02ebfdd8e05b.tar.gz sssd-da03c0178fb9efb545372557cb0e02ebfdd8e05b.tar.xz sssd-da03c0178fb9efb545372557cb0e02ebfdd8e05b.zip |
Fix bad password caching when using automatic TGT renewalsssd-1_5_7
Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856
Diffstat (limited to 'src/providers/krb5/krb5_auth.c')
-rw-r--r-- | src/providers/krb5/krb5_auth.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 44075f031..e7a6699f0 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1000,8 +1000,13 @@ static void krb5_save_ccname_done(struct tevent_req *req) state->dp_err = DP_ERR_OK; switch(pd->cmd) { - case SSS_PAM_AUTHENTICATE: case SSS_CMD_RENEW: + /* The authtok is set to the credential cache + * during renewal. We don't want to save this + * as the cached password. + */ + break; + case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK_PRELIM: password = talloc_size(state, pd->authtok_size + 1); if (password != NULL) { @@ -1021,8 +1026,11 @@ static void krb5_save_ccname_done(struct tevent_req *req) } if (password == NULL) { - DEBUG(0, ("password not available, offline auth may not work.\n")); - ret = EOK; /* password caching failures are not fatal errors */ + if (pd->cmd != SSS_CMD_RENEW) { + DEBUG(0, ("password not available, offline auth may not work.\n")); + /* password caching failures are not fatal errors */ + } + ret = EOK; goto done; } @@ -1034,6 +1042,7 @@ static void krb5_save_ccname_done(struct tevent_req *req) if (ret) { DEBUG(2, ("Failed to cache password, offline auth may not work." " (%d)[%s]!?\n", ret, strerror(ret))); + /* password caching failures are not fatal errors */ } } |