Skip Menu |
 

Subject: libss without readline can interfere with reading passwords
Without readline support, libss uses a dummy version which just calls
fgets() on stdin.

krb5_read_password() (used by ktutil and kadmin) uses
krb5_prompter_posix(), which opens its own unbuffered copy of fd 0.
Therefore, it will not see any data buffered within stdin.

Put together, kadmin or ktutil can exhibit incorrect behavior when
fed mixed libss and password input over a pipe or from a file:

$ kadmin.local << EOF
cpw user
pw
pw
EOF
Authenticating as principal user/admin@KRBTEST.COM with password.
kadmin.local: Enter password for principal "user@KRBTEST.COM":
change_password: Cannot read password while reading password for
"user@KRBTEST.COM".
kadmin.local: kadmin.local: Unknown request "pw". Type "?" for
a request list.
kadmin.local: kadmin.local: Unknown request "pw". Type "?" for
a request list.
kadmin.local:

If ss is built with readline support, this bug does not manifest
because readline() is careful not to read any characters from fd 0
beyond the newline.
From: ghudson@mit.edu
Subject: git commit

Disable stdin buffering in libss dummy readline

readline() is careful not to read more bytes from fd 0 than it has to.
Do the same in the dummy libss readline() by disabling stdin
buffering.

https://github.com/krb5/krb5/commit/64eece071583f52b0eca8285848ab2746c14a769
Author: Greg Hudson <ghudson@mit.edu>
Commit: 64eece071583f52b0eca8285848ab2746c14a769
Branch: master
src/util/ss/listen.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)