From fffdae81651b460f3d2c119c56d5caa09b4de42a Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 28 Apr 2011 13:51:26 -0400 Subject: Fix bad password caching when using automatic TGT renewal Fixes CVE-2011-1758, https://fedorahosted.org/sssd/ticket/856 --- src/providers/krb5/krb5_auth.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 55a06a51..c4d108fe 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -992,8 +992,13 @@ static void krb5_save_ccname_done(struct tevent_req *req) state->dp_err = DP_ERR_OK; switch(pd->cmd) { - case SSS_PAM_AUTHENTICATE: case SSS_CMD_RENEW: + /* The authtok is set to the credential cache + * during renewal. We don't want to save this + * as the cached password. + */ + break; + case SSS_PAM_AUTHENTICATE: case SSS_PAM_CHAUTHTOK_PRELIM: password = talloc_size(state, pd->authtok_size + 1); if (password != NULL) { @@ -1013,8 +1018,11 @@ static void krb5_save_ccname_done(struct tevent_req *req) } if (password == NULL) { - DEBUG(0, ("password not available, offline auth may not work.\n")); - ret = EOK; /* password caching failures are not fatal errors */ + if (pd->cmd != SSS_CMD_RENEW) { + DEBUG(0, ("password not available, offline auth may not work.\n")); + /* password caching failures are not fatal errors */ + } + ret = EOK; goto done; } @@ -1026,6 +1034,7 @@ static void krb5_save_ccname_done(struct tevent_req *req) if (ret) { DEBUG(2, ("Failed to cache password, offline auth may not work." " (%d)[%s]!?\n", ret, strerror(ret))); + /* password caching failures are not fatal errors */ } } -- cgit