From 647967cda763b525a38d33d026269fb7601a2e26 Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Feb 04 2011 23:12:30 +0000 Subject: don't return new-authtok-reqd unless we succeeded gettng password changing creds --- diff --git a/src/acct.c b/src/acct.c index 62da374..b171784 100644 --- a/src/acct.c +++ b/src/acct.c @@ -152,6 +152,11 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, } } else { /* Check what happened when we asked for initial credentials. */ + if (stash->v5expired) { + notice("account checks fail for '%s': " + "password has expired", user); + retval = PAM_NEW_AUTHTOK_REQD; + } else switch (stash->v5result) { case 0: if (options->debug) { @@ -184,11 +189,6 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, retval = PAM_USER_UNKNOWN; } break; - case KRB5KDC_ERR_KEY_EXP: - notice("account checks fail for '%s': " - "password has expired", user); - retval = PAM_NEW_AUTHTOK_REQD; - break; case EAGAIN: case KRB5_REALM_CANT_RESOLVE: notice("account checks fail for '%s': " diff --git a/src/auth.c b/src/auth.c index 64ac293..6d2f4d9 100644 --- a/src/auth.c +++ b/src/auth.c @@ -224,6 +224,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, NULL, gic_options, _pam_krb5_always_fail_prompter, + &stash->v5expired, &stash->v5result); stash->v5attempted = 1; if (options->debug) { @@ -272,6 +273,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, use_third_pass ? _pam_krb5_normal_prompter : _pam_krb5_previous_prompter, + &stash->v5expired, &stash->v5result); use_third_pass = 0; stash->v5attempted = 1; @@ -365,6 +367,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, use_third_pass ? _pam_krb5_normal_prompter : _pam_krb5_always_fail_prompter, + &stash->v5expired, &stash->v5result); use_third_pass = 0; stash->v5attempted = 1; @@ -426,6 +429,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags, options->permit_password_callback ? _pam_krb5_always_prompter : _pam_krb5_normal_prompter, + &stash->v5expired, &stash->v5result); stash->v5attempted = 1; if (options->debug) { diff --git a/src/password.c b/src/password.c index 71c0bae..66d5cb1 100644 --- a/src/password.c +++ b/src/password.c @@ -236,6 +236,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, PASSWORD_CHANGE_PRINCIPAL, password, NULL, _pam_krb5_normal_prompter, + NULL, &tmp_result); prelim_attempted = 1; if (options->debug) { @@ -288,6 +289,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, password ? _pam_krb5_normal_prompter : _pam_krb5_always_fail_prompter, + NULL, &tmp_result); v5_free_get_init_creds_opt(ctx, tmp_gicopts); prelim_attempted = 1; @@ -450,6 +452,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, KRB5_TGS_NAME, password, gic_options, _pam_krb5_always_fail_prompter, + NULL, &stash->v5result); stash->v5attempted = 1; if (i == PAM_SUCCESS) { diff --git a/src/stash.h b/src/stash.h index 1330512..e84f3bb 100644 --- a/src/stash.h +++ b/src/stash.h @@ -1,5 +1,5 @@ /* - * Copyright 2003,2007,2009 Red Hat, Inc. + * Copyright 2003,2007,2009,2011 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -43,7 +43,7 @@ struct _pam_krb5_ccname_list { struct _pam_krb5_stash { char *key; krb5_context v5ctx; - int v5attempted, v5result; + int v5attempted, v5result, v5expired; struct _pam_krb5_ccname_list *v5ccnames; krb5_creds v5creds; int v5setenv; diff --git a/src/v5.c b/src/v5.c index 0670d02..b3e4fcf 100644 --- a/src/v5.c +++ b/src/v5.c @@ -1,5 +1,5 @@ /* - * Copyright 2003,2004,2005,2006,2007,2008,2009,2010 Red Hat, Inc. + * Copyright 2003,2004,2005,2006,2007,2008,2009,2010,2011 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -1336,6 +1336,7 @@ v5_get_creds(krb5_context ctx, const char *, int, krb5_prompt[]), + int *expired, int *result) { int i; @@ -1628,6 +1629,9 @@ v5_get_creds(krb5_context ctx, case 0: /* Got password-changing creds, so warn about the * expired password and continue. */ + if (expired) { + *expired = 1; + } if (options->warn == 1) { message.msg = "Warning: password has expired."; message.msg_style = PAM_TEXT_INFO; @@ -1644,6 +1648,9 @@ v5_get_creds(krb5_context ctx, debug("attempt to obtain credentials for %s " "failed: %s", realm_service, v5_error_message(i)); } + if (result) { + *result = i; + } return PAM_AUTH_ERR; break; case EAGAIN: diff --git a/src/v5.h b/src/v5.h index 71955f2..1c8878b 100644 --- a/src/v5.h +++ b/src/v5.h @@ -1,5 +1,5 @@ /* - * Copyright 2003,2006,2007,2009 Red Hat, Inc. + * Copyright 2003,2006,2007,2009,2011 Red Hat, Inc. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions @@ -54,6 +54,7 @@ int v5_get_creds(krb5_context ctx, const char *, int, krb5_prompt[]), + int *expired, int *result); int v5_get_creds_etype(krb5_context ctx, diff --git a/tests/019-pamchpw-prompt-wrongpw/run.sh b/tests/019-pamchpw-prompt-wrongpw/run.sh new file mode 100755 index 0000000..d19e918 --- /dev/null +++ b/tests/019-pamchpw-prompt-wrongpw/run.sh @@ -0,0 +1,8 @@ +#!/bin/sh + +source $testdir/testenv.sh + +echo "";echo Fail: incorrect password. +$kadmin -q 'cpw -pw foo '$test_principal 2> /dev/null > /dev/null +$kadmin -q 'modprinc -pwexpire now '$test_principal 2> /dev/null > /dev/null +test_run -auth -account $test_principal $pam_krb5 $test_flags chpw_prompt -- bar diff --git a/tests/019-pamchpw-prompt-wrongpw/stderr.expected b/tests/019-pamchpw-prompt-wrongpw/stderr.expected new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/019-pamchpw-prompt-wrongpw/stderr.expected diff --git a/tests/019-pamchpw-prompt-wrongpw/stdout.expected b/tests/019-pamchpw-prompt-wrongpw/stdout.expected new file mode 100644 index 0000000..2c8b42e --- /dev/null +++ b/tests/019-pamchpw-prompt-wrongpw/stdout.expected @@ -0,0 +1,6 @@ + +Fail: incorrect password. +Calling module `pam_krb5.so'. +`Password: ' -> `bar' +AUTH 7 Authentication failure +ACCT 0 Success diff --git a/tests/020-pamchpw-prompt-success/run.sh b/tests/020-pamchpw-prompt-success/run.sh new file mode 100755 index 0000000..f459914 --- /dev/null +++ b/tests/020-pamchpw-prompt-success/run.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +source $testdir/testenv.sh + +echo "";echo Succeed: correct password, expired, change. +$kadmin -q 'cpw -pw foo '$test_principal 2> /dev/null > /dev/null +$kadmin -q 'modprinc -pwexpire now '$test_principal 2> /dev/null > /dev/null +test_settle +test_run -auth -account -setcred -session $test_principal $pam_krb5 $test_flags chpw_prompt -- foo bar bar diff --git a/tests/020-pamchpw-prompt-success/stderr.expected b/tests/020-pamchpw-prompt-success/stderr.expected new file mode 100644 index 0000000..e69de29 --- /dev/null +++ b/tests/020-pamchpw-prompt-success/stderr.expected diff --git a/tests/020-pamchpw-prompt-success/stdout.expected b/tests/020-pamchpw-prompt-success/stdout.expected new file mode 100644 index 0000000..5508baa --- /dev/null +++ b/tests/020-pamchpw-prompt-success/stdout.expected @@ -0,0 +1,13 @@ + +Succeed: correct password, expired, change. +Calling module `pam_krb5.so'. +`Password: ' -> `foo' +`Password expired. You must change it now.' +`New Kerberos 5 Password: ' -> `bar' +`Repeat New Kerberos 5 Password: ' -> `bar' +AUTH 0 Success +ACCT 0 Success +ESTCRED 0 Success +OPENSESS 0 Success +CLOSESESS 0 Success +DELCRED 0 Success diff --git a/tests/Makefile.am b/tests/Makefile.am index 68430fa..566b8bc 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -56,7 +56,13 @@ EXTRA_DIST = run-tests.sh testenv.sh.in \ 018-krb4/run.sh \ 018-krb4/stderr.expected \ 018-krb4/stdout.expected \ - 018-krb4/uses_v4 + 018-krb4/uses_v4 \ + 019-pamchpw-prompt-wrongpw/run.sh \ + 019-pamchpw-prompt-wrongpw/stderr.expected \ + 019-pamchpw-prompt-wrongpw/stdout.expected \ + 020-pamchpw-prompt-success/run.sh \ + 020-pamchpw-prompt-success/stderr.expected \ + 020-pamchpw-prompt-success/stdout.expected check: all testenv.sh $(srcdir)/run-tests.sh