diff options
Diffstat (limited to 'Improve-bad-password-inference-in-kinit.patch')
-rw-r--r-- | Improve-bad-password-inference-in-kinit.patch | 82 |
1 files changed, 0 insertions, 82 deletions
diff --git a/Improve-bad-password-inference-in-kinit.patch b/Improve-bad-password-inference-in-kinit.patch deleted file mode 100644 index b6c17e8..0000000 --- a/Improve-bad-password-inference-in-kinit.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 79d626dde9e7e38da79da1911338e18998e348df Mon Sep 17 00:00:00 2001 -From: Greg Hudson <ghudson@mit.edu> -Date: Mon, 25 Jul 2016 13:28:43 -0400 -Subject: [PATCH] Improve bad password inference in kinit - -kinit currently outputs "Password incorrect" if it sees a -bad-integrity error code, which results if the KDC reply couldn't be -decrypted, or when encrypted timestamp preauth fails against an MIT -krb5 1.14 or earlier KDC. Expand this check to include general -preauth failures reported by the KDC, but only if a password was -prompted for. - -ticket: 8465 (new) -(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595) ---- - src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------ - 1 file changed, 20 insertions(+), 6 deletions(-) - -diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c -index eba36b9..990fd11 100644 ---- a/src/clients/kinit/kinit.c -+++ b/src/clients/kinit/kinit.c -@@ -700,9 +700,18 @@ kinit_prompter( - krb5_prompt prompts[] - ) - { -- krb5_error_code rc = -- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); -- return rc; -+ krb5_boolean *pwprompt = data; -+ krb5_prompt_type *ptypes; -+ int i; -+ -+ /* Make a note if we receive a password prompt. */ -+ ptypes = krb5_get_prompt_types(ctx); -+ for (i = 0; i < num_prompts; i++) { -+ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD) -+ *pwprompt = TRUE; -+ } -+ -+ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); - } - - static int -@@ -715,6 +724,7 @@ k5_kinit(opts, k5) - krb5_creds my_creds; - krb5_error_code code = 0; - krb5_get_init_creds_opt *options = NULL; -+ krb5_boolean pwprompt = FALSE; - int i; - - memset(&my_creds, 0, sizeof(my_creds)); -@@ -819,7 +829,7 @@ k5_kinit(opts, k5) - switch (opts->action) { - case INIT_PW: - code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, -- 0, kinit_prompter, 0, -+ 0, kinit_prompter, &pwprompt, - opts->starttime, - opts->service_name, - options); -@@ -856,11 +866,15 @@ k5_kinit(opts, k5) - break; - } - -- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) -+ /* If reply decryption failed, or if pre-authentication failed and we -+ * were prompted for a password, assume the password was wrong. */ -+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY || -+ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) { - fprintf(stderr, _("%s: Password incorrect while %s\n"), progname, - doing); -- else -+ } else { - com_err(progname, code, _("while %s"), doing); -+ } - goto cleanup; - } - --- -2.9.3 - |