Skip Menu |

Subject: Can't get initial creds with empty password via API
Passing an empty password to krb5_get_init_creds_password or
krb5_init_creds_set_password doesn't not work; it is treated the same as
an unspecified password. See also:
Subject: git commit
Download (untitled) / with headers
text/plain 1.1KiB

Make empty passwords work via init_creds APIs

In the gak_data value used by krb5_get_as_key_password, separate the
already-known password from the storage we might have allocated to put
it in, so that we no longer use an empty data buffer to determine
whether we know the password. This allows empty passwords to work via
the API.

Remove the kadm5 test which explicitly uses an empty password.

Based on a patch from Stef Walter.
Author: Greg Hudson <>
Commit: f3458ed803ae97b6c6c7c63baeb82b26c4943d4c
Branch: master
src/lib/kadm5/unit-test/api.current/init.exp | 27 -------
src/lib/krb5/krb/get_in_tkt.c | 5 +-
src/lib/krb5/krb/gic_pwd.c | 107 +++++++++++++-------------
src/lib/krb5/krb/init_creds_ctx.h | 7 ++-
src/tests/ | 11 ++-
src/tests/deps | 2 +
src/tests/ | 9 ++
src/tests/t_init_creds.c | 88 +++++++++++++++++++++
8 files changed, 166 insertions(+), 90 deletions(-)