summaryrefslogtreecommitdiffstats
path: root/src/providers
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers')
-rw-r--r--src/providers/krb5/krb5_auth.c7
-rw-r--r--src/providers/ldap/ldap_auth.c8
2 files changed, 15 insertions, 0 deletions
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 6a57fe5f7..e1aaebf4d 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -635,7 +635,14 @@ void krb5_pam_handler(struct be_req *be_req)
switch (pd->cmd) {
case SSS_PAM_AUTHENTICATE:
case SSS_PAM_CHAUTHTOK:
+ break;
case SSS_PAM_CHAUTHTOK_PRELIM:
+ if (pd->priv == 1 && pd->authtok_size == 0) {
+ DEBUG(4, ("Password reset by root is not supported.\n"));
+ pam_status = PAM_PERM_DENIED;
+ dp_err = DP_ERR_OK;
+ goto done;
+ }
break;
case SSS_PAM_ACCT_MGMT:
case SSS_PAM_SETCRED:
diff --git a/src/providers/ldap/ldap_auth.c b/src/providers/ldap/ldap_auth.c
index e0935da38..95931ac9d 100644
--- a/src/providers/ldap/ldap_auth.c
+++ b/src/providers/ldap/ldap_auth.c
@@ -636,6 +636,14 @@ void sdap_pam_chpass_handler(struct be_req *breq)
goto done;
}
+ if (pd->priv == 1 && pd->cmd == SSS_PAM_CHAUTHTOK_PRELIM &&
+ pd->authtok_size == 0) {
+ DEBUG(4, ("Password reset by root is not supported.\n"));
+ pd->pam_status = PAM_PERM_DENIED;
+ dp_err = DP_ERR_OK;
+ goto done;
+ }
+
DEBUG(2, ("starting password change request for user [%s].\n", pd->user));
pd->pam_status = PAM_SYSTEM_ERR;
generated by cgit (git 2.34.1) at 2024-05-18 16:24:03 +0000