Skip Menu |
 

From dsr@lnscu5.lns.cornell.edu Fri Feb 22 14:55:48 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id OAA20841
for <bugs@RT-11.mit.edu>; Fri, 22 Feb 2002 14:55:47 -0500 (EST)
Received: from lnscu5.lns.cornell.edu (lnscu5.lns.cornell.edu [128.84.44.111])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA19307
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 14:55:47 -0500 (EST)
Received: from lnscu6.lns.cornell.edu (lnscu6.lns.cornell.edu [128.84.45.151])
by lnscu5.lns.cornell.edu (8.12.1/8.12.1) with ESMTP id g1MJtko2013060
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 14:55:46 -0500 (EST)
Received: by lnscu6.lns.cornell.edu (8.8.8/1.1.22.3/15Feb00-0854AM)
id OAA0000019806; Fri, 22 Feb 2002 14:55:46 -0500 (EST)
Message-Id: <200202221955.OAA0000019806@lnscu6.lns.cornell.edu>
Date: Fri, 22 Feb 2002 14:55:46 -0500 (EST)
From: Dan Riley <dsr@mail.lns.cornell.edu>
Reply-To: dsr@mail.lns.cornell.edu
To: krb5-bugs@mit.edu
Subject: krb5_get_init_creds_password does not warn about password expiration
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 1065
>Category: krb5-libs
>Synopsis: gic_pwd does not warn about password expiration
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 22 14:56:00 EST 2002
>Last-Modified:
>Originator: Dan Riley
>Organization:
LNS, Cornell U.
Show quoted text
>Release: krb5-1.2.3
>Environment:
System: OSF1 lnscu6.lns.cornell.edu V4.0 1229 alpha
Machine: alpha
Show quoted text
>Description:
If given a prompter krb5_get_init_creds_password is supposed to warn
the user when password expiration is near. It does not do so if no
in_tkt_service is provided, due to a logic bug. The code

if (prompter &&
(in_tkt_service &&
(strcmp(in_tkt_service, "kadmin/changepw") != 0)) &&
[...]

is, I believe, supposed to not warn only if in_tkt_service is
"kadmin/changepw". However, if in_tkt_service is NULL, the first part
of the && fails and the entire && fails.

Show quoted text
>How-To-Repeat:
Set a principal (or password, depending on what your kdc sets the
key expiration field to) to expire in a few hours. Try to login
via login.krb5 or equivalent. Note that no warning is issued.

Show quoted text
>Fix:
The correct test is "no in_tkt_service provided or in_tkt_service
is not kadmin/changepw":

diff -ur krb5-1.2.3/src/lib/krb5/krb/gic_pwd.c krb5/lib/krb5/krb/gic_pwd.c
--- krb5-1.2.3/src/lib/krb5/krb/gic_pwd.c Wed Jan 9 17:27:57 2002
+++ krb5/lib/krb5/krb/gic_pwd.c Fri Dec 21 13:54:00 2001
@@ -304,11 +304,11 @@
with timezones, etc. */

if (prompter &&
- (in_tkt_service &&
+ (!in_tkt_service ||
(strcmp(in_tkt_service, "kadmin/changepw") != 0)) &&
((ret = krb5_timeofday(context, &now)) == 0) &&
as_reply->enc_part2->key_exp &&
((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) &&
(hours >= 0)) {
if (hours < 1)
sprintf(banner,
Show quoted text
>Audit-Trail:
>Unformatted:
From: kenh@mit.edu
Subject: CVS Commit
In kerberos-clarifications, a new last-req type (6) has been specified
that indicates when a principal's password will expire. This code implements
support for this last-req type. Note that the intent is that the last-req
type will only be included by the KDC when the time until password expiration
reaches some threshold (e.g, one week), so this code will display the
password expiration anytime the last-req type is included.


To generate a diff of this commit:



cvs diff -r1.320 -r1.321 krb5/src/include/ChangeLog
cvs diff -r1.141 -r1.142 krb5/src/include/krb5.hin
cvs diff -r5.350 -r5.351 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.15 -r5.16 krb5/src/lib/krb5/krb/gic_pwd.c
To: rt-comment@krbdev.mit.edu
Cc: kenh@MIT.EDU
Subject: [krbdev.mit.edu #1065] CVS Commit
Date: Wed, 23 Oct 2002 16:32:51 -0400
From: Ezra Peisach <epeisach@MIT.EDU>
RT-Send-Cc:

Is there a reason you do not allow for the type to be -6? According
to clarifications:
Show quoted text
>Negative values indicate that the information pertains
>only to the responding server. Non-negative values pertain to all
>servers for the realm.
While I believe we will only send a non-negative value,
your code should test for the negative one as well...

Ezra
To: Ezra Peisach <epeisach@MIT.EDU>
Cc: rt-comment@krbdev.mit.edu, kenh@MIT.EDU
Subject: Re: [krbdev.mit.edu #1065] CVS Commit
Date: Wed, 23 Oct 2002 16:34:56 -0400
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
RT-Send-Cc:
Show quoted text
>Is there a reason you do not allow for the type to be -6? According
>to clarifications:
>>Negative values indicate that the information pertains
>>only to the responding server. Non-negative values pertain to all
>>servers for the realm.
>While I believe we will only send a non-negative value,
>your code should test for the negative one as well...

Fair enough ... I'll correct that.

--Ken