From 5359c2ce8d562353f01940ed19e41c584e89f245 Mon Sep 17 00:00:00 2001
From: Ondrej Kos <okos@redhat.com>
Date: Wed, 17 Jul 2013 13:42:57 +0200
Subject: KRB: Handle empty password gracefully

https://fedorahosted.org/sssd/ticket/1814

Return authentication error when empty password is passed.
---
 src/providers/krb5/krb5_auth.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 22495f570..4c2fe0f24 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -495,6 +495,17 @@ struct tevent_req *krb5_auth_send(TALLOC_CTX *mem_ctx,
         case SSS_PAM_AUTHENTICATE:
         case SSS_PAM_CHAUTHTOK:
             if (sss_authtok_get_type(pd->authtok) != SSS_AUTHTOK_TYPE_PASSWORD) {
+                /* handle empty password gracefully */
+                if (sss_authtok_get_type(pd->authtok) == SSS_AUTHTOK_TYPE_EMPTY) {
+                    DEBUG(SSSDBG_CRIT_FAILURE,
+                          ("Illegal zero-length authtok for user [%s]\n",
+                           pd->user));
+                    state->pam_status = PAM_AUTH_ERR;
+                    state->dp_err = DP_ERR_OK;
+                    ret = EOK;
+                    goto done;
+                }
+
                 DEBUG(SSSDBG_CRIT_FAILURE,
                       ("Wrong authtok type for user [%s]. " \
                        "Expected [%d], got [%d]\n", pd->user,
-- 
cgit