diff options
| author | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-09 08:56:13 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-21 10:59:27 +0200 |
| commit | b196e1e91ec04ca5af93bfd2dcfc5225f4858a54 (patch) | |
| tree | 6202853f07fd93cb5c6ad924f749abc29864d226 /src | |
| parent | 24989e604037d780b6f523f1880596ee917c1468 (diff) | |
| download | sssd-b196e1e91ec04ca5af93bfd2dcfc5225f4858a54.tar.gz sssd-b196e1e91ec04ca5af93bfd2dcfc5225f4858a54.tar.xz sssd-b196e1e91ec04ca5af93bfd2dcfc5225f4858a54.zip | |
KRB5: Return PAM_AUTH_ERR on incorrect password
https://fedorahosted.org/sssd/ticket/1515
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/krb5/krb5_child.c | 69 |
1 files changed, 39 insertions, 30 deletions
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c index 08e525ce2..263c5fa98 100644 --- a/src/providers/krb5/krb5_child.c +++ b/src/providers/krb5/krb5_child.c @@ -728,6 +728,41 @@ done: } +static int kerr_handle_error(krb5_error_code kerr) +{ + int pam_status; + + KRB5_DEBUG(SSSDBG_CRIT_FAILURE, kerr); + switch (kerr) { + case KRB5_KDC_UNREACH: + pam_status = PAM_AUTHINFO_UNAVAIL; + break; + case KRB5KDC_ERR_KEY_EXP: + pam_status = PAM_NEW_AUTHTOK_REQD; + break; + case KRB5KRB_AP_ERR_BAD_INTEGRITY: + pam_status = PAM_AUTH_ERR; + break; + case KRB5KDC_ERR_PREAUTH_FAILED: + pam_status = PAM_CRED_ERR; + break; + default: + pam_status = PAM_SYSTEM_ERR; + break; + } + + return pam_status; +} + +static int kerr_to_status(krb5_error_code kerr) +{ + if (kerr == 0) { + return PAM_SUCCESS; + } + + return kerr_handle_error(kerr);; +} + static errno_t changepw_child(int fd, struct krb5_req *kr) { int ret; @@ -776,10 +811,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) changepw_princ, kr->options); if (kerr != 0) { - KRB5_DEBUG(1, kerr); - if (kerr == KRB5_KDC_UNREACH) { - pam_status = PAM_AUTHINFO_UNAVAIL; - } + pam_status = kerr_handle_error(kerr); goto sendresponse; } @@ -866,12 +898,7 @@ static errno_t changepw_child(int fd, struct krb5_req *kr) talloc_zfree(newpass_str); memset(kr->pd->newauthtok, 0, kr->pd->newauthtok_size); - if (kerr != 0) { - KRB5_DEBUG(1, kerr); - if (kerr == KRB5_KDC_UNREACH) { - pam_status = PAM_AUTHINFO_UNAVAIL; - } - } + pam_status = kerr_to_status(kerr); sendresponse: ret = sendresponse(fd, kerr, pam_status, kr); @@ -940,22 +967,7 @@ static errno_t tgt_req_child(int fd, struct krb5_req *kr) talloc_zfree(pass_str); memset(kr->pd->authtok, 0, kr->pd->authtok_size); - if (kerr != 0) { - KRB5_DEBUG(1, kerr); - switch (kerr) { - case KRB5_KDC_UNREACH: - pam_status = PAM_AUTHINFO_UNAVAIL; - break; - case KRB5KDC_ERR_KEY_EXP: - pam_status = PAM_NEW_AUTHTOK_REQD; - break; - case KRB5KDC_ERR_PREAUTH_FAILED: - pam_status = PAM_CRED_ERR; - break; - default: - pam_status = PAM_SYSTEM_ERR; - } - } + pam_status = kerr_to_status(kerr); sendresponse: ret = sendresponse(fd, kerr, pam_status, kr); @@ -1029,10 +1041,7 @@ static errno_t renew_tgt_child(int fd, struct krb5_req *kr) kerr = krb5_get_renewed_creds(kr->ctx, kr->creds, kr->princ, ccache, NULL); if (kerr != 0) { - KRB5_DEBUG(1, kerr); - if (kerr == KRB5_KDC_UNREACH) { - status = PAM_AUTHINFO_UNAVAIL; - } + status = kerr_handle_error(kerr); goto done; } |