Package: libpam-krb5 Version: 3.8-1 Severity: normal Tags: patch
Hi, I use a configuration like this: /etc/pam.d/common-password: --- password requires pam_cracklib.so password requires pam_krb5 use_authtok --- This works great, if cracklib loves the given new password. But in the case it doesn't, krb5 is asking again for a new password and accepts everything. In short: the use_authtok option is not handled correctly. Manpage says 'Never prompt the user for a password under any circumstances' I have found the reason in function get_new_password(). It seems that pam_krb5 assumes pam_get_item() to return a value different from PAM_SUCCESS if no new password is set on the stack before. But pam_get_item() will always return PAM_SUCCESS, so i think we have to check if the password is NULL instead. Little patch is appended. Greetings Stephan -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (600, 'testing'), (400, 'unstable'), (300, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.22.9-aresius (SMP w/2 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash -- Stephan Krempel <[EMAIL PROTECTED]> PGP public key: http://www.aresius.de/stephan_krempel.pgp UTF8 - true i18n
--- libpam-krb5-3.8.orig/api-password.c
+++ libpam-krb5-3.8/api-password.c
@@ -55,7 +55,7 @@
if (tmp != NULL)
*pass = strdup((const char *) tmp);
}
- if (args->use_authtok && pamret != PAM_SUCCESS) {
+ if (args->use_authtok && tmp == NULL) {
pamk5_debug_pam(args, "no stored password", pamret);
pamret = PAM_AUTHTOK_ERR;
goto done;
signature.asc
Description: This is a digitally signed message part
