1 files changed, 82 insertions, 0 deletions
diff --git a/Improve-bad-password-inference-in-kinit.patch b/Improve-bad-password-inference-in-kinit.patch
new file mode 100644
index 0000000..23b0536
--- /dev/null
+++ b/Improve-bad-password-inference-in-kinit.patch
@@ -0,0 +1,82 @@
+From e9517473b649a50ab7414788fb5d6c2715ac8ee4 Mon Sep 17 00:00:00 2001
+From: Greg Hudson <ghudson@mit.edu>
+Date: Mon, 25 Jul 2016 13:28:43 -0400
+Subject: [PATCH 17/19] Improve bad password inference in kinit
+
+kinit currently outputs "Password incorrect" if it sees a
+bad-integrity error code, which results if the KDC reply couldn't be
+decrypted, or when encrypted timestamp preauth fails against an MIT
+krb5 1.14 or earlier KDC.  Expand this check to include general
+preauth failures reported by the KDC, but only if a password was
+prompted for.
+
+ticket: 8465 (new)
+(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595)
+---
+ src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------
+ 1 file changed, 20 insertions(+), 6 deletions(-)
+
+diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
+index eba36b9..990fd11 100644
+--- a/src/clients/kinit/kinit.c
++++ b/src/clients/kinit/kinit.c
+@@ -700,9 +700,18 @@ kinit_prompter(
+     krb5_prompt prompts[]
+ )
+ {
+-    krb5_error_code rc =
+-        krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
+-    return rc;
++    krb5_boolean *pwprompt = data;
++    krb5_prompt_type *ptypes;
++    int i;
++
++    /* Make a note if we receive a password prompt. */
++    ptypes = krb5_get_prompt_types(ctx);
++    for (i = 0; i < num_prompts; i++) {
++        if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD)
++            *pwprompt = TRUE;
++    }
++
++    return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
+ }
+ 
+ static int
+@@ -715,6 +724,7 @@ k5_kinit(opts, k5)
+     krb5_creds my_creds;
+     krb5_error_code code = 0;
+     krb5_get_init_creds_opt *options = NULL;
++    krb5_boolean pwprompt = FALSE;
+     int i;
+ 
+     memset(&my_creds, 0, sizeof(my_creds));
+@@ -819,7 +829,7 @@ k5_kinit(opts, k5)
+     switch (opts->action) {
+     case INIT_PW:
+         code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
+-                                            0, kinit_prompter, 0,
++                                            0, kinit_prompter, &pwprompt,
+                                             opts->starttime,
+                                             opts->service_name,
+                                             options);
+@@ -856,11 +866,15 @@ k5_kinit(opts, k5)
+             break;
+         }
+ 
+-        if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
++        /* If reply decryption failed, or if pre-authentication failed and we
++         * were prompted for a password, assume the password was wrong. */
++        if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
++            (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) {
+             fprintf(stderr, _("%s: Password incorrect while %s\n"), progname,
+                     doing);
+-        else
++        } else {
+             com_err(progname, code, _("while %s"), doing);
++        }
+         goto cleanup;
+     }
+ 
+-- 
+2.9.3
+