[krbdev.mit.edu #8745] libss without readline can interfere with reading passwords
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Oct 3 18:43:24 EDT 2018
Without readline support, libss uses a dummy version which just calls
fgets() on stdin.
krb5_read_password() (used by ktutil and kadmin) uses
krb5_prompter_posix(), which opens its own unbuffered copy of fd 0.
Therefore, it will not see any data buffered within stdin.
Put together, kadmin or ktutil can exhibit incorrect behavior when
fed mixed libss and password input over a pipe or from a file:
$ kadmin.local << EOF
cpw user
pw
pw
EOF
Authenticating as principal user/admin at KRBTEST.COM with password.
kadmin.local: Enter password for principal "user at KRBTEST.COM":
change_password: Cannot read password while reading password for
"user at KRBTEST.COM".
kadmin.local: kadmin.local: Unknown request "pw". Type "?" for
a request list.
kadmin.local: kadmin.local: Unknown request "pw". Type "?" for
a request list.
kadmin.local:
If ss is built with readline support, this bug does not manifest
because readline() is careful not to read any characters from fd 0
beyond the newline.
More information about the krb5-bugs
mailing list