[29516] in CVS-changelog-for-Kerberos-V5
krb5 commit: Improve bad password inference in kinit
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 25 20:40:00 2016
Date: Mon, 25 Jul 2016 20:39:57 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201607260039.u6Q0dvTH019577@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/1a83ffad4d8e405ce696536c06d9bce1f8100595
commit 1a83ffad4d8e405ce696536c06d9bce1f8100595
Author: Greg Hudson <ghudson@mit.edu>
Date: Mon Jul 25 13:28:43 2016 -0400
Improve bad password inference in kinit
kinit currently outputs "Password incorrect" if it sees a
bad-integrity error code, which results if the KDC reply couldn't be
decrypted, or when encrypted timestamp preauth fails against an MIT
krb5 1.14 or earlier KDC. Expand this check to include general
preauth failures reported by the KDC, but only if a password was
prompted for.
ticket: 8465 (new)
src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------
1 files changed, 20 insertions(+), 6 deletions(-)
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index f24c319..ce5aa4b 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -684,9 +684,18 @@ kinit_prompter(
krb5_prompt prompts[]
)
{
- krb5_error_code rc =
- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
- return rc;
+ krb5_boolean *pwprompt = data;
+ krb5_prompt_type *ptypes;
+ int i;
+
+ /* Make a note if we receive a password prompt. */
+ ptypes = krb5_get_prompt_types(ctx);
+ for (i = 0; i < num_prompts; i++) {
+ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD)
+ *pwprompt = TRUE;
+ }
+
+ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
}
static int
@@ -699,6 +708,7 @@ k5_kinit(opts, k5)
krb5_creds my_creds;
krb5_error_code code = 0;
krb5_get_init_creds_opt *options = NULL;
+ krb5_boolean pwprompt = FALSE;
int i;
memset(&my_creds, 0, sizeof(my_creds));
@@ -807,7 +817,7 @@ k5_kinit(opts, k5)
switch (opts->action) {
case INIT_PW:
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
- 0, kinit_prompter, 0,
+ 0, kinit_prompter, &pwprompt,
opts->starttime,
opts->service_name,
options);
@@ -844,11 +854,15 @@ k5_kinit(opts, k5)
break;
}
- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+ /* If reply decryption failed, or if pre-authentication failed and we
+ * were prompted for a password, assume the password was wrong. */
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) {
fprintf(stderr, _("%s: Password incorrect while %s\n"), progname,
doing);
- else
+ } else {
com_err(progname, code, _("while %s"), doing);
+ }
goto cleanup;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
