From dsr@lnscu5.lns.cornell.edu Fri Feb 22 14:55:48 2002
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id OAA20841
for <bugs@RT-11.mit.edu>; Fri, 22 Feb 2002 14:55:47 -0500 (EST)
Received: from lnscu5.lns.cornell.edu (lnscu5.lns.cornell.edu [128.84.44.111])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA19307
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 14:55:47 -0500 (EST)
Received: from lnscu6.lns.cornell.edu (lnscu6.lns.cornell.edu [128.84.45.151])
by lnscu5.lns.cornell.edu (8.12.1/8.12.1) with ESMTP id g1MJtko2013060
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 14:55:46 -0500 (EST)
Received: by lnscu6.lns.cornell.edu (8.8.8/1.1.22.3/15Feb00-0854AM)
id OAA0000019806; Fri, 22 Feb 2002 14:55:46 -0500 (EST)
Message-Id: <200202221955.OAA0000019806@lnscu6.lns.cornell.edu>
Date: Fri, 22 Feb 2002 14:55:46 -0500 (EST)
From: Dan Riley <dsr@mail.lns.cornell.edu>
Reply-To: dsr@mail.lns.cornell.edu
To: krb5-bugs@mit.edu
Subject: krb5_get_init_creds_password does not warn about password expiration
X-Send-Pr-Version: 3.99
Machine: alpha
the user when password expiration is near. It does not do so if no
in_tkt_service is provided, due to a logic bug. The code
if (prompter &&
(in_tkt_service &&
(strcmp(in_tkt_service, "kadmin/changepw") != 0)) &&
[...]
is, I believe, supposed to not warn only if in_tkt_service is
"kadmin/changepw". However, if in_tkt_service is NULL, the first part
of the && fails and the entire && fails.
key expiration field to) to expire in a few hours. Try to login
via login.krb5 or equivalent. Note that no warning is issued.
is not kadmin/changepw":
diff -ur krb5-1.2.3/src/lib/krb5/krb/gic_pwd.c krb5/lib/krb5/krb/gic_pwd.c
--- krb5-1.2.3/src/lib/krb5/krb/gic_pwd.c Wed Jan 9 17:27:57 2002
+++ krb5/lib/krb5/krb/gic_pwd.c Fri Dec 21 13:54:00 2001
@@ -304,11 +304,11 @@
with timezones, etc. */
if (prompter &&
- (in_tkt_service &&
+ (!in_tkt_service ||
(strcmp(in_tkt_service, "kadmin/changepw") != 0)) &&
((ret = krb5_timeofday(context, &now)) == 0) &&
as_reply->enc_part2->key_exp &&
((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) &&
(hours >= 0)) {
if (hours < 1)
sprintf(banner,
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id OAA20841
for <bugs@RT-11.mit.edu>; Fri, 22 Feb 2002 14:55:47 -0500 (EST)
Received: from lnscu5.lns.cornell.edu (lnscu5.lns.cornell.edu [128.84.44.111])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA19307
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 14:55:47 -0500 (EST)
Received: from lnscu6.lns.cornell.edu (lnscu6.lns.cornell.edu [128.84.45.151])
by lnscu5.lns.cornell.edu (8.12.1/8.12.1) with ESMTP id g1MJtko2013060
for <krb5-bugs@mit.edu>; Fri, 22 Feb 2002 14:55:46 -0500 (EST)
Received: by lnscu6.lns.cornell.edu (8.8.8/1.1.22.3/15Feb00-0854AM)
id OAA0000019806; Fri, 22 Feb 2002 14:55:46 -0500 (EST)
Message-Id: <200202221955.OAA0000019806@lnscu6.lns.cornell.edu>
Date: Fri, 22 Feb 2002 14:55:46 -0500 (EST)
From: Dan Riley <dsr@mail.lns.cornell.edu>
Reply-To: dsr@mail.lns.cornell.edu
To: krb5-bugs@mit.edu
Subject: krb5_get_init_creds_password does not warn about password expiration
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 1065
>Category: krb5-libs
>Synopsis: gic_pwd does not warn about password expiration
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 22 14:56:00 EST 2002
>Last-Modified:
>Originator: Dan Riley
>Organization:
LNS, Cornell U.>Category: krb5-libs
>Synopsis: gic_pwd does not warn about password expiration
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Feb 22 14:56:00 EST 2002
>Last-Modified:
>Originator: Dan Riley
>Organization:
Show quoted text
>Release: krb5-1.2.3
>Environment:
System: OSF1 lnscu6.lns.cornell.edu V4.0 1229 alpha>Environment:
Machine: alpha
Show quoted text
>Description:
If given a prompter krb5_get_init_creds_password is supposed to warnthe user when password expiration is near. It does not do so if no
in_tkt_service is provided, due to a logic bug. The code
if (prompter &&
(in_tkt_service &&
(strcmp(in_tkt_service, "kadmin/changepw") != 0)) &&
[...]
is, I believe, supposed to not warn only if in_tkt_service is
"kadmin/changepw". However, if in_tkt_service is NULL, the first part
of the && fails and the entire && fails.
Show quoted text
>How-To-Repeat:
Set a principal (or password, depending on what your kdc sets thekey expiration field to) to expire in a few hours. Try to login
via login.krb5 or equivalent. Note that no warning is issued.
Show quoted text
>Fix:
The correct test is "no in_tkt_service provided or in_tkt_serviceis not kadmin/changepw":
diff -ur krb5-1.2.3/src/lib/krb5/krb/gic_pwd.c krb5/lib/krb5/krb/gic_pwd.c
--- krb5-1.2.3/src/lib/krb5/krb/gic_pwd.c Wed Jan 9 17:27:57 2002
+++ krb5/lib/krb5/krb/gic_pwd.c Fri Dec 21 13:54:00 2001
@@ -304,11 +304,11 @@
with timezones, etc. */
if (prompter &&
- (in_tkt_service &&
+ (!in_tkt_service ||
(strcmp(in_tkt_service, "kadmin/changepw") != 0)) &&
((ret = krb5_timeofday(context, &now)) == 0) &&
as_reply->enc_part2->key_exp &&
((hours = ((as_reply->enc_part2->key_exp-now)/(60*60))) <= 7*24) &&
(hours >= 0)) {
if (hours < 1)
sprintf(banner,
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: