#1814 Empty Kerberos passwords handled incorrectly
Closed: Fixed None Opened 9 years ago by endzone.

Currently, entering an empty kerberos password at the XDM login prompt creates a "critical error" message.

It turns out that in the case of an empty password, Kerberos returns an LIBOS_CANTREADPWD to SSSD, which then returns PAM_CRED_UNAVAIL thru commit 383fa7e.

But actually it looks like Kerberos does not support empty passwords at all!

Hence, commit 383fa7e is correct in the sense that a Kerberos LIBOS_CANTREADPWD error should result in PAM_CRED_UNAVAIL.

BUT as Kerberos does even not support empty passwords, it returns LIBOS_CANTREADPWD somewhat wrongly here, interpreting the empty password as a failure to read a non-empty one (hence CANTREADPWD).

It should be SSSDs job to immediately return PAM_AUTH_ERR on an empty kerberos password, without actually forwarding the empty password to Kerberos (which would result in PAM_CRED_UNAVAIL).

I was not able to dig up Kerberos documentation that explicitly states that empty passwords are not allowed. Still, a google search reveals that this seems to be a commonly communicated fact".


I found some evidence that an empty password causes Kerberos libs to explicitly ask for the password again. With most authentication modules, this issue is circumvented by simply denying empty passwords.

See this quote from the "pam-krb5" changelog:

Always treat an empty password as an authentication failure rather than passing it to the Kerberos libraries, which may treat it as no password and prompt without our knowledge. This prompting could lead to authenticating with a password unknown to the PAM stack, which could cause unexpected problems in some PAM configurations.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.5

Fields changed

owner: somebody => okos

Fields changed

milestone: SSSD 1.9.5 => SSSD 1.10.0
review: => 0

Fields changed

milestone: SSSD 1.10.0 => SSSD 1.10.1

Fields changed

changelog: =>
patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @endzone:
- Issue assigned to okos
- Issue set to the milestone: SSSD 1.10.1

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2856

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata