rpms/krb5
6
0
Fork 0
Code Issues Pull Requests Releases Activity

- if we successfully change the user's password during an attempt to get

Browse Source 
initial credentials, but then fail to get initial creds from a
    non-master using the new password, retry against the master (#432334)
This commit is contained in:
Nalin Dahyabhai 2008-09-04 15:13:51 +00:00
parent bb9aa2106c
commit b1efb9b86d
2 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
krb5-trunk-preauth-master.patch Normal file
View File

@ -0,0 +1,48 @@
Assume that KRB5_PREAUTH_FAILED is subject to propagation delay between the
master and replicas (this error is only returned when ENC_TIMESTAMP fails),
and if we get a key-expired error right after changing the password, try
again against the master KDC. RT#6108
Index: src/lib/krb5/krb/gic_pwd.c
===================================================================
--- src/lib/krb5/krb/gic_pwd.c (revision 20704)
+++ src/lib/krb5/krb/gic_pwd.c (working copy)
@@ -147,10 +147,10 @@
goto cleanup;
/* If all the kdc's are unavailable, or if the error was due to a
- user interrupt, or preauth errored out, fail */
+ user interrupt, or preauth errored out against the master, fail */
if ((ret == KRB5_KDC_UNREACH) ||
- (ret == KRB5_PREAUTH_FAILED) ||
+ ((ret == KRB5_PREAUTH_FAILED) && use_master) ||
(ret == KRB5_LIBOS_PWDINTR) ||
(ret == KRB5_REALM_CANT_RESOLVE))
goto cleanup;
@@ -320,6 +320,25 @@
krb5_get_as_key_password, (void *) &pw0,
&use_master, &as_reply);
+ if ((ret != KRB5KDC_ERR_KEY_EXP) || use_master)
+ goto cleanup;
+ else {
+ /* Okay, we *just* changed the password. Retry against a master KDC,
+ * because either the non-master's using outdated data or the admin
+ * has set an impossibly low maximum password lifetime. */
+ use_master = 1;
+ ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
+ start_time, in_tkt_service, opte,
+ krb5_get_as_key_password, (void *) &pw0,
+ &use_master, &as_reply);
+ if ((ret2 != KRB5_KDC_UNREACH) &&
+ (ret2 != KRB5_REALM_CANT_RESOLVE) &&
+ (ret2 != KRB5_REALM_UNKNOWN))
+ ret = ret2;
+ else
+ use_master = 0;
+ }
+
cleanup:
krb5int_set_prompt_types(context, 0);
/* if getting the password was successful, then check to see if the

7
krb5.spec
View File

@ -101,6 +101,7 @@ Patch76: krb5-CVE-2007-5901.patch
Patch77: krb5-CVE-2007-5971.patch Patch77: krb5-CVE-2007-5971.patch
Patch78: krb5-1.6.3-lucid-acceptor.patch Patch78: krb5-1.6.3-lucid-acceptor.patch
Patch79: krb5-trunk-ftp_mget_case.patch Patch79: krb5-trunk-ftp_mget_case.patch
Patch80: krb5-trunk-preauth-master.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -231,6 +232,11 @@ to obtain initial credentials from a KDC using a private key and a
certificate. certificate.
%changelog %changelog
* Thu Sep 4 2008 Nalin Dahyabhai <nalin@redhat.com>
- if we successfully change the user's password during an attempt to get
initial credentials, but then fail to get initial creds from a non-master
using the new password, retry against the master (#432334)
* Tue Aug 5 2008 Tom "spot" Callaway <tcallawa@redhat.com> 1.6.3-16 * Tue Aug 5 2008 Tom "spot" Callaway <tcallawa@redhat.com> 1.6.3-16
- fix license tag - fix license tag
@ -1383,6 +1389,7 @@ popd
%patch77 -p0 -b .2007-5971 %patch77 -p0 -b .2007-5971
%patch78 -p0 -b .lucid_acceptor %patch78 -p0 -b .lucid_acceptor
%patch79 -p0 -b .ftp_mget_case %patch79 -p0 -b .ftp_mget_case
%patch80 -p0 -b .preauth_master
cp src/krb524/README README.krb524 cp src/krb524/README README.krb524
gzip doc/*.ps gzip doc/*.ps