Logical hole in pam_sm_chauthtok() and winbindd_dual_pam_chauthtok()?

Bo Yang boyang at novell.com
Fri Jun 6 15:05:29 GMT 2008


      Thank you for your explanation of the problem, I understand it.
      I'll post the modified patch as soon as possible.


>>> Guenther Deschner <gd at samba.org> 06/06/08 11:58 PM >>>
Bo Yang wrote:
> Hi, All:
>        There is a logical hole in pam_sm_chauthtok() and winbindd_dual_pam_chauthtok().
>       In pam_sm_chauthtok(), WINBIND_CACHED_LOGIN is cleared, which causes WBFLAG_PAM_CACHED_LOGIN
> cleared. But in winbindd_dual_pam_chauthtok(),
>       if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
>             Update cached credentials.
>       }
>       But WBFLAG_PAM_CACHED_LOGIN is cleared, therefore, cached credential is never updated when password is
> changed.
>       Patches for v3-0-test, v3-2-test, v3-3-test in attachment.
>       Please review it.

The idea behind disabling the cached creds flag was to not let the user 
type three passwords before getting noticed that the DC is unavailable, 
therefor that flag should remain turned off for auth (to make sure we're 
really verifiying the creds against a living DC) and then turned on (if 
globally enabled) for the chauthtok only (to store modified creds).

I'm going to check in a modified version of your patch.


Günther Deschner                    GPG-ID: 8EE11688
Red Hat                         gdeschner at redhat.com
Samba Team                              gd at samba.org

More information about the samba-technical mailing list