diff options
Diffstat (limited to 'Improve-bad-password-inference-in-kinit.patch')
-rw-r--r-- | Improve-bad-password-inference-in-kinit.patch | 82 |
1 files changed, 82 insertions, 0 deletions
diff --git a/Improve-bad-password-inference-in-kinit.patch b/Improve-bad-password-inference-in-kinit.patch new file mode 100644 index 0000000..23b0536 --- /dev/null +++ b/Improve-bad-password-inference-in-kinit.patch @@ -0,0 +1,82 @@ +From e9517473b649a50ab7414788fb5d6c2715ac8ee4 Mon Sep 17 00:00:00 2001 +From: Greg Hudson <ghudson@mit.edu> +Date: Mon, 25 Jul 2016 13:28:43 -0400 +Subject: [PATCH 17/19] Improve bad password inference in kinit + +kinit currently outputs "Password incorrect" if it sees a +bad-integrity error code, which results if the KDC reply couldn't be +decrypted, or when encrypted timestamp preauth fails against an MIT +krb5 1.14 or earlier KDC. Expand this check to include general +preauth failures reported by the KDC, but only if a password was +prompted for. + +ticket: 8465 (new) +(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595) +--- + src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c +index eba36b9..990fd11 100644 +--- a/src/clients/kinit/kinit.c ++++ b/src/clients/kinit/kinit.c +@@ -700,9 +700,18 @@ kinit_prompter( + krb5_prompt prompts[] + ) + { +- krb5_error_code rc = +- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); +- return rc; ++ krb5_boolean *pwprompt = data; ++ krb5_prompt_type *ptypes; ++ int i; ++ ++ /* Make a note if we receive a password prompt. */ ++ ptypes = krb5_get_prompt_types(ctx); ++ for (i = 0; i < num_prompts; i++) { ++ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD) ++ *pwprompt = TRUE; ++ } ++ ++ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); + } + + static int +@@ -715,6 +724,7 @@ k5_kinit(opts, k5) + krb5_creds my_creds; + krb5_error_code code = 0; + krb5_get_init_creds_opt *options = NULL; ++ krb5_boolean pwprompt = FALSE; + int i; + + memset(&my_creds, 0, sizeof(my_creds)); +@@ -819,7 +829,7 @@ k5_kinit(opts, k5) + switch (opts->action) { + case INIT_PW: + code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, +- 0, kinit_prompter, 0, ++ 0, kinit_prompter, &pwprompt, + opts->starttime, + opts->service_name, + options); +@@ -856,11 +866,15 @@ k5_kinit(opts, k5) + break; + } + +- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) ++ /* If reply decryption failed, or if pre-authentication failed and we ++ * were prompted for a password, assume the password was wrong. */ ++ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY || ++ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) { + fprintf(stderr, _("%s: Password incorrect while %s\n"), progname, + doing); +- else ++ } else { + com_err(progname, code, _("while %s"), doing); ++ } + goto cleanup; + } + +-- +2.9.3 + |