kinit with expired password fails, patch

Russ Allbery rra at stanford.edu
Wed Apr 25 12:24:15 EDT 2012 

Stef Walter <stefw at gnome.org> writes:

> When running kinit for an account with an expired password, kerberos
> correctly tries to help the user to change it.

> However, this is broken by the preauth use counts. The preauth use
> counts need to be set to zero again before doing preauth for the
> kadmin/changepw credential.

> Attached is a patch which fixes this. Is there a more general solution?
> I would be happy to update the patch if so.

I think this problem goes deeper.  I believe I just ran into the same
thing (with MIT Kerberos 1.10+dfsg~beta1-2 as found in Debian).  In
testing pam-krb5, if I attempt krb5_get_init_creds_password twice with the
same context with an incorrect password the first time (encountered when
testing the PAM module with try_first_pass and an incorrect initial
password), the second time always fails with KRB5_PREAUTH_FAILED.

If I free the context and create a new context between attempts, it
succeeds.

This therefore isn't just a problem with password change; it looks like
any attempted authentication corrupts the context so that no further
authentication that requires preauth can succeed.

I think the correct fix is to something like this deeper down:

Index: src/lib/krb5/krb/gc_via_tkt.c
===================================================================
--- src/lib/krb5/krb/gc_via_tkt.c	(revision 25821)
+++ src/lib/krb5/krb/gc_via_tkt.c	(working copy)
@@ -392,6 +392,7 @@
         goto cleanup;
 
 cleanup:
+    krb5_clear_preauth_context_use_counts(context);
     if (dec_rep != NULL) {
         memset(dec_rep->enc_part2->session->contents, 0,
                dec_rep->enc_part2->session->length);

but I have no idea if that's the correct location for this fix either.

This seems like the kind of bug that should trigger a point release.  I
can't find a workaround that would let try_first_pass to work in the PAM
module without blowing away the context and creating a new one, which I'm
a little leery of doing since I have a bunch of data structures created
with the previous context (krb5_principals and so forth).  Although I
guess that wouldn't really matter....

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the krbdev mailing list