83 lines
2.8 KiB
Diff
83 lines
2.8 KiB
Diff
From 79d626dde9e7e38da79da1911338e18998e348df Mon Sep 17 00:00:00 2001
|
|
From: Greg Hudson <ghudson@mit.edu>
|
|
Date: Mon, 25 Jul 2016 13:28:43 -0400
|
|
Subject: [PATCH] Improve bad password inference in kinit
|
|
|
|
kinit currently outputs "Password incorrect" if it sees a
|
|
bad-integrity error code, which results if the KDC reply couldn't be
|
|
decrypted, or when encrypted timestamp preauth fails against an MIT
|
|
krb5 1.14 or earlier KDC. Expand this check to include general
|
|
preauth failures reported by the KDC, but only if a password was
|
|
prompted for.
|
|
|
|
ticket: 8465 (new)
|
|
(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595)
|
|
---
|
|
src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------
|
|
1 file changed, 20 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
|
|
index eba36b9..990fd11 100644
|
|
--- a/src/clients/kinit/kinit.c
|
|
+++ b/src/clients/kinit/kinit.c
|
|
@@ -700,9 +700,18 @@ kinit_prompter(
|
|
krb5_prompt prompts[]
|
|
)
|
|
{
|
|
- krb5_error_code rc =
|
|
- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
|
|
- return rc;
|
|
+ krb5_boolean *pwprompt = data;
|
|
+ krb5_prompt_type *ptypes;
|
|
+ int i;
|
|
+
|
|
+ /* Make a note if we receive a password prompt. */
|
|
+ ptypes = krb5_get_prompt_types(ctx);
|
|
+ for (i = 0; i < num_prompts; i++) {
|
|
+ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD)
|
|
+ *pwprompt = TRUE;
|
|
+ }
|
|
+
|
|
+ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
|
|
}
|
|
|
|
static int
|
|
@@ -715,6 +724,7 @@ k5_kinit(opts, k5)
|
|
krb5_creds my_creds;
|
|
krb5_error_code code = 0;
|
|
krb5_get_init_creds_opt *options = NULL;
|
|
+ krb5_boolean pwprompt = FALSE;
|
|
int i;
|
|
|
|
memset(&my_creds, 0, sizeof(my_creds));
|
|
@@ -819,7 +829,7 @@ k5_kinit(opts, k5)
|
|
switch (opts->action) {
|
|
case INIT_PW:
|
|
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
|
|
- 0, kinit_prompter, 0,
|
|
+ 0, kinit_prompter, &pwprompt,
|
|
opts->starttime,
|
|
opts->service_name,
|
|
options);
|
|
@@ -856,11 +866,15 @@ k5_kinit(opts, k5)
|
|
break;
|
|
}
|
|
|
|
- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
|
|
+ /* If reply decryption failed, or if pre-authentication failed and we
|
|
+ * were prompted for a password, assume the password was wrong. */
|
|
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
|
|
+ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) {
|
|
fprintf(stderr, _("%s: Password incorrect while %s\n"), progname,
|
|
doing);
|
|
- else
|
|
+ } else {
|
|
com_err(progname, code, _("while %s"), doing);
|
|
+ }
|
|
goto cleanup;
|
|
}
|
|
|
|
--
|
|
2.9.3
|
|
|