diff options
author | Nalin Dahyabhai <nalin@fedoraproject.org> | 2008-09-04 15:13:51 +0000 |
---|---|---|
committer | Nalin Dahyabhai <nalin@fedoraproject.org> | 2008-09-04 15:13:51 +0000 |
commit | b1efb9b86ddd63eff631e594f9e78f19b6ee6fb5 (patch) | |
tree | e25b20e71931e866cdc5fcbf865f41812c1e8298 | |
parent | bb9aa2106c48a9c180b85d9e122d3e662eee6320 (diff) | |
download | krb5-b1efb9b86ddd63eff631e594f9e78f19b6ee6fb5.tar.gz krb5-b1efb9b86ddd63eff631e594f9e78f19b6ee6fb5.tar.xz krb5-b1efb9b86ddd63eff631e594f9e78f19b6ee6fb5.zip |
- if we successfully change the user's password during an attempt to get
initial credentials, but then fail to get initial creds from a
non-master using the new password, retry against the master (#432334)
-rw-r--r-- | krb5-trunk-preauth-master.patch | 48 | ||||
-rw-r--r-- | krb5.spec | 7 |
2 files changed, 55 insertions, 0 deletions
diff --git a/krb5-trunk-preauth-master.patch b/krb5-trunk-preauth-master.patch new file mode 100644 index 0000000..6f9cb8b --- /dev/null +++ b/krb5-trunk-preauth-master.patch @@ -0,0 +1,48 @@ +Assume that KRB5_PREAUTH_FAILED is subject to propagation delay between the +master and replicas (this error is only returned when ENC_TIMESTAMP fails), +and if we get a key-expired error right after changing the password, try +again against the master KDC. RT#6108 + +Index: src/lib/krb5/krb/gic_pwd.c +=================================================================== +--- src/lib/krb5/krb/gic_pwd.c (revision 20704) ++++ src/lib/krb5/krb/gic_pwd.c (working copy) +@@ -147,10 +147,10 @@ + goto cleanup; + + /* If all the kdc's are unavailable, or if the error was due to a +- user interrupt, or preauth errored out, fail */ ++ user interrupt, or preauth errored out against the master, fail */ + + if ((ret == KRB5_KDC_UNREACH) || +- (ret == KRB5_PREAUTH_FAILED) || ++ ((ret == KRB5_PREAUTH_FAILED) && use_master) || + (ret == KRB5_LIBOS_PWDINTR) || + (ret == KRB5_REALM_CANT_RESOLVE)) + goto cleanup; +@@ -320,6 +320,25 @@ + krb5_get_as_key_password, (void *) &pw0, + &use_master, &as_reply); + ++ if ((ret != KRB5KDC_ERR_KEY_EXP) || use_master) ++ goto cleanup; ++ else { ++ /* Okay, we *just* changed the password. Retry against a master KDC, ++ * because either the non-master's using outdated data or the admin ++ * has set an impossibly low maximum password lifetime. */ ++ use_master = 1; ++ ret2 = krb5_get_init_creds(context, creds, client, prompter, data, ++ start_time, in_tkt_service, opte, ++ krb5_get_as_key_password, (void *) &pw0, ++ &use_master, &as_reply); ++ if ((ret2 != KRB5_KDC_UNREACH) && ++ (ret2 != KRB5_REALM_CANT_RESOLVE) && ++ (ret2 != KRB5_REALM_UNKNOWN)) ++ ret = ret2; ++ else ++ use_master = 0; ++ } ++ + cleanup: + krb5int_set_prompt_types(context, 0); + /* if getting the password was successful, then check to see if the @@ -101,6 +101,7 @@ Patch76: krb5-CVE-2007-5901.patch Patch77: krb5-CVE-2007-5971.patch Patch78: krb5-1.6.3-lucid-acceptor.patch Patch79: krb5-trunk-ftp_mget_case.patch +Patch80: krb5-trunk-preauth-master.patch License: MIT URL: http://web.mit.edu/kerberos/www/ @@ -231,6 +232,11 @@ to obtain initial credentials from a KDC using a private key and a certificate. %changelog +* Thu Sep 4 2008 Nalin Dahyabhai <nalin@redhat.com> +- if we successfully change the user's password during an attempt to get + initial credentials, but then fail to get initial creds from a non-master + using the new password, retry against the master (#432334) + * Tue Aug 5 2008 Tom "spot" Callaway <tcallawa@redhat.com> 1.6.3-16 - fix license tag @@ -1383,6 +1389,7 @@ popd %patch77 -p0 -b .2007-5971 %patch78 -p0 -b .lucid_acceptor %patch79 -p0 -b .ftp_mget_case +%patch80 -p0 -b .preauth_master cp src/krb524/README README.krb524 gzip doc/*.ps |