summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
authorJakub Hrozek <jhrozek@redhat.com>2012-09-09 08:56:13 -0400
committerJakub Hrozek <jhrozek@redhat.com>2012-09-10 10:28:14 +0200
commitea45f80628dfbe75dfba7c37c0cb14acf5af440f (patch)
tree6020fbbadb8632d34f0fd5e9bcb26ed6a1fc0962 /src/providers
parent6b758f3a86da4e7a1924d46eebda0f3144c8c979 (diff)
downloadsssd-ea45f80628dfbe75dfba7c37c0cb14acf5af440f.tar.gz
sssd-ea45f80628dfbe75dfba7c37c0cb14acf5af440f.tar.xz
sssd-ea45f80628dfbe75dfba7c37c0cb14acf5af440f.zip
KRB5: Return PAM_AUTH_ERR on incorrect password
https://fedorahosted.org/sssd/ticket/1515
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/krb5/krb5_child.c51
1 files changed, 32 insertions, 19 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 7562bb451..dc2e3117d 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -923,6 +923,36 @@ done:
}
+static int kerr_to_status(krb5_error_code kerr)
+{
+ int pam_status = PAM_SYSTEM_ERR;
+
+ if (kerr == 0) {
+ return PAM_SUCCESS;
+ }
+
+ KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
+ switch (kerr) {
+ case KRB5_KDC_UNREACH:
+ pam_status = PAM_AUTHINFO_UNAVAIL;
+ break;
+ case KRB5KDC_ERR_KEY_EXP:
+ pam_status = PAM_NEW_AUTHTOK_REQD;
+ break;
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY:
+ pam_status = PAM_AUTH_ERR;
+ break;
+ case KRB5KDC_ERR_PREAUTH_FAILED:
+ pam_status = PAM_CRED_ERR;
+ break;
+ default:
+ pam_status = PAM_SYSTEM_ERR;
+ break;
+ }
+
+ return pam_status;
+}
+
static errno_t changepw_child(int fd, struct krb5_req *kr)
{
int ret;
@@ -982,9 +1012,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr)
kr->options);
if (kerr != 0) {
KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
- if (kerr == KRB5_KDC_UNREACH) {
- pam_status = PAM_AUTHINFO_UNAVAIL;
- }
+ pam_status = kerr_to_status(kerr);
goto sendresponse;
}
@@ -1152,22 +1180,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr)
talloc_zfree(pass_str);
memset(kr->pd->authtok, 0, kr->pd->authtok_size);
- if (kerr != 0) {
- KRB5_CHILD_DEBUG(SSSDBG_CRIT_FAILURE, kerr);
- switch (kerr) {
- case KRB5_KDC_UNREACH:
- pam_status = PAM_AUTHINFO_UNAVAIL;
- break;
- case KRB5KDC_ERR_KEY_EXP:
- pam_status = PAM_NEW_AUTHTOK_REQD;
- break;
- case KRB5KDC_ERR_PREAUTH_FAILED:
- pam_status = PAM_CRED_ERR;
- break;
- default:
- pam_status = PAM_SYSTEM_ERR;
- }
- }
+ pam_status = kerr_to_status(kerr);
sendresponse:
ret = sendresponse(fd, kerr, pam_status, kr);