Check authtok type for krb5 auth and chpass

1 files changed, 12 insertions, 0 deletions

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index c4af471d0..0e5556048 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -620,6 +620,12 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
     char *changepw_princ = NULL;
     krb5_prompter_fct prompter = sss_krb5_prompter;
 
+    if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) {
+        pam_status = PAM_CRED_INSUFFICIENT;
+        kerr = KRB5KRB_ERR_GENERIC;
+        goto sendresponse;
+    }
+
     pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok,
                               kr->pd->authtok_size);
     if (pass_str == NULL) {
@@ -760,6 +766,12 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
     char *changepw_princ = NULL;
     int pam_status = PAM_SYSTEM_ERR;
 
+    if (kr->pd->authtok_type != SSS_AUTHTOK_TYPE_PASSWORD) {
+        pam_status = PAM_CRED_INSUFFICIENT;
+        kerr = KRB5KRB_ERR_GENERIC;
+        goto sendresponse;
+    }
+
     pass_str = talloc_strndup(kr, (const char *) kr->pd->authtok,
                               kr->pd->authtok_size);
     if (pass_str == NULL) {