Issue #1814: Empty Kerberos passwords handled incorrectly - sssd - Pagure.io

SSSD / sssd

#1814 Empty Kerberos passwords handled incorrectly

Closed: Fixed None Opened 11 years ago by endzone.

Currently, entering an empty kerberos password at the XDM login prompt creates a "critical error" message.

It turns out that in the case of an empty password, Kerberos returns an LIBOS_CANTREADPWD to SSSD, which then returns PAM_CRED_UNAVAIL thru commit 383fa7e.

But actually it looks like Kerberos does not support empty passwords at all!

Hence, commit 383fa7e is correct in the sense that a Kerberos LIBOS_CANTREADPWD error should result in PAM_CRED_UNAVAIL.

BUT as Kerberos does even not support empty passwords, it returns LIBOS_CANTREADPWD somewhat wrongly here, interpreting the empty password as a failure to read a non-empty one (hence CANTREADPWD).

It should be SSSDs job to immediately return PAM_AUTH_ERR on an empty kerberos password, without actually forwarding the empty password to Kerberos (which would result in PAM_CRED_UNAVAIL).

I was not able to dig up Kerberos documentation that explicitly states that empty passwords are not allowed. Still, a google search reveals that this seems to be a commonly communicated fact".

endzone commented 11 years ago

I found some evidence that an empty password causes Kerberos libs to explicitly ask for the password again. With most authentication modules, this issue is circumvented by simply denying empty passwords.

See this quote from the "pam-krb5" changelog:

Always treat an empty password as an authentication failure rather than passing it to the Kerberos libraries, which may treat it as no password and prompt without our knowledge. This prompting could lead to authenticating with a password unknown to the PAM stack, which could cause unexpected problems in some PAM configurations.

jhrozek commented 11 years ago

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.5

jhrozek commented 11 years ago

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=917011

rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=917011 917011]

jhrozek commented 11 years ago

Fields changed

owner: somebody => okos

jhrozek commented 11 years ago

Fields changed

milestone: SSSD 1.9.5 => SSSD 1.10.0
review: => 0

jhrozek commented 10 years ago

Fields changed

milestone: SSSD 1.10.0 => SSSD 1.10.1

okos commented 10 years ago

Fields changed

changelog: =>
patch: 0 => 1
status: new => assigned

jhrozek commented 10 years ago

master:
- feece80
- 3df5930
sssd-1-10:
- 1040b33
- 5359c2c

resolution: => fixed
status: assigned => closed

Metadata Update from @endzone:
- Issue assigned to okos
- Issue set to the milestone: SSSD 1.10.1

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2856

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata

Assignee

Tags

None

Blocking

None

Depending on

None

Priority

major

Milestone

SSSD 1.10.1

type

defect

component

SSSD

version

1.9.4

selected

None

testsupdated

0

patch

1

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=917011

design_review

0

review

0

changelog

None

keywords

None

coverity

None

mark

None

blocking

None

design

None

sensitive

None

cc

None

blockedby

None

feature_milestone

None

Powered by Pagure 5.13.3

Documentation • File an Issue • About • SSH Hostkey/Fingerprint

© Red Hat, Inc. and others.