Logical hole in pam_sm_chauthtok()
and winbindd_dual_pam_chauthtok()?
Guenther Deschner
gd at samba.org
Fri Jun 6 13:58:01 GMT 2008
Bo Yang wrote:
> Hi, All:
>
> There is a logical hole in pam_sm_chauthtok() and winbindd_dual_pam_chauthtok().
> In pam_sm_chauthtok(), WINBIND_CACHED_LOGIN is cleared, which causes WBFLAG_PAM_CACHED_LOGIN
> cleared. But in winbindd_dual_pam_chauthtok(),
>
> if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
> Update cached credentials.
> }
> But WBFLAG_PAM_CACHED_LOGIN is cleared, therefore, cached credential is never updated when password is
> changed.
>
> Patches for v3-0-test, v3-2-test, v3-3-test in attachment.
>
> Please review it.
The idea behind disabling the cached creds flag was to not let the user
type three passwords before getting noticed that the DC is unavailable,
therefor that flag should remain turned off for auth (to make sure we're
really verifiying the creds against a living DC) and then turned on (if
globally enabled) for the chauthtok only (to store modified creds).
I'm going to check in a modified version of your patch.
Thanks,
Guenther
--
Günther Deschner GPG-ID: 8EE11688
Red Hat gdeschner at redhat.com
Samba Team gd at samba.org
More information about the samba-technical
mailing list