kinit with expired password fails, patch

Chris Hecker checker at
Wed Apr 25 12:29:16 EDT 2012

I had this same problem with the count and posted about it a couple months ago...I'm on a phone so can't find the link right now, just adding to the anecdotes.


Russ Allbery <rra at> wrote:

Stef Walter <stefw at> writes:

> When running kinit for an account with an expired password, kerberos
> correctly tries to help the user to change it.

> However, this is broken by the preauth use counts. The preauth use
> counts need to be set to zero again before doing preauth for the
> kadmin/changepw credential.

> Attached is a patch which fixes this. Is there a more general solution?
> I would be happy to update the patch if so.

I think this problem goes deeper. I believe I just ran into the same
thing (with MIT Kerberos 1.10+dfsg~beta1-2 as found in Debian). In
testing pam-krb5, if I attempt krb5_get_init_creds_password twice with the
same context with an incorrect password the first time (encountered when
testing the PAM module with try_first_pass and an incorrect initial
password), the second time always fails with KRB5_PREAUTH_FAILED.

If I free the context and create a new context between attempts, it

This therefore isn't just a problem with password change; it looks like
any attempted authentication corrupts the context so that no further
authentication that requires preauth can succeed.

I think the correct fix is to something like this deeper down:

Index: src/lib/krb5/krb/gc_via_tkt.c

--- src/lib/krb5/krb/gc_via_tkt.c	(revision 25821)
+++ src/lib/krb5/krb/gc_via_tkt.c	(working copy)
@@ -392,6 +392,7 @@
goto cleanup;

+ krb5_clear_preauth_context_use_counts(context);
if (dec_rep != NULL) {
memset(dec_rep->enc_part2->session->contents, 0,

but I have no idea if that's the correct location for this fix either.

This seems like the kind of bug that should trigger a point release. I
can't find a workaround that would let try_first_pass to work in the PAM
module without blowing away the context and creating a new one, which I'm
a little leery of doing since I have a bunch of data structures created
with the previous context (krb5_principals and so forth). Although I
guess that wouldn't really matter....

Russ Allbery (rra at <>;

krbdev mailing list krbdev at

More information about the krbdev mailing list