Learn more about these different git repos.
Other Git URLs
Currently, entering an empty kerberos password at the XDM login prompt creates a "critical error" message.
It turns out that in the case of an empty password, Kerberos returns an LIBOS_CANTREADPWD to SSSD, which then returns PAM_CRED_UNAVAIL thru commit 383fa7e.
But actually it looks like Kerberos does not support empty passwords at all!
Hence, commit 383fa7e is correct in the sense that a Kerberos LIBOS_CANTREADPWD error should result in PAM_CRED_UNAVAIL.
BUT as Kerberos does even not support empty passwords, it returns LIBOS_CANTREADPWD somewhat wrongly here, interpreting the empty password as a failure to read a non-empty one (hence CANTREADPWD).
It should be SSSDs job to immediately return PAM_AUTH_ERR on an empty kerberos password, without actually forwarding the empty password to Kerberos (which would result in PAM_CRED_UNAVAIL).
I was not able to dig up Kerberos documentation that explicitly states that empty passwords are not allowed. Still, a google search reveals that this seems to be a commonly communicated fact".
I found some evidence that an empty password causes Kerberos libs to explicitly ask for the password again. With most authentication modules, this issue is circumvented by simply denying empty passwords.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.9.5
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=917011
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=917011 917011]
owner: somebody => okos
milestone: SSSD 1.9.5 => SSSD 1.10.0 review: => 0
milestone: SSSD 1.10.0 => SSSD 1.10.1
changelog: => patch: 0 => 1 status: new => assigned
resolution: => fixed status: assigned => closed
Metadata Update from @endzone: - Issue assigned to okos - Issue set to the milestone: SSSD 1.10.1
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2856
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.