Logical hole in pam_sm_chauthtok() andwinbindd_dual_pam_chauthtok()? - Samba

This is a discussion on Logical hole in pam_sm_chauthtok() andwinbindd_dual_pam_chauthtok()? - Samba ; Hi, All: There is a logical hole in pam_sm_chauthtok() and winbindd_dual_pam_chauthtok(). In pam_sm_chauthtok(), WINBIND_CACHED_LOGIN is cleared, which causes WBFLAG_PAM_CACHED_LOGIN cleared. But in winbindd_dual_pam_chauthtok(), if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) { Update cached credentials. } But WBFLAG_PAM_CACHED_LOGIN is cleared, therefore, cached ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Logical hole in pam_sm_chauthtok() andwinbindd_dual_pam_chauthtok()?

  1. Logical hole in pam_sm_chauthtok() andwinbindd_dual_pam_chauthtok()?

    Hi, All:

    There is a logical hole in pam_sm_chauthtok() and winbindd_dual_pam_chauthtok().
    In pam_sm_chauthtok(), WINBIND_CACHED_LOGIN is cleared, which causes WBFLAG_PAM_CACHED_LOGIN
    cleared. But in winbindd_dual_pam_chauthtok(),

    if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
    Update cached credentials.
    }
    But WBFLAG_PAM_CACHED_LOGIN is cleared, therefore, cached credential is never updated when password is
    changed.

    Patches for v3-0-test, v3-2-test, v3-3-test in attachment.

    Please review it.
    Thanks!

    Best
    Regards
    BoYang
    6.6


  2. Re: Logical hole in pam_sm_chauthtok()and winbindd_dual_pam_chauthtok()?

    Bo Yang wrote:
    > Hi, All:
    >
    > There is a logical hole in pam_sm_chauthtok() and winbindd_dual_pam_chauthtok().
    > In pam_sm_chauthtok(), WINBIND_CACHED_LOGIN is cleared, which causes WBFLAG_PAM_CACHED_LOGIN
    > cleared. But in winbindd_dual_pam_chauthtok(),
    >
    > if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
    > Update cached credentials.
    > }
    > But WBFLAG_PAM_CACHED_LOGIN is cleared, therefore, cached credential is never updated when password is
    > changed.
    >
    > Patches for v3-0-test, v3-2-test, v3-3-test in attachment.
    >
    > Please review it.


    The idea behind disabling the cached creds flag was to not let the user
    type three passwords before getting noticed that the DC is unavailable,
    therefor that flag should remain turned off for auth (to make sure we're
    really verifiying the creds against a living DC) and then turned on (if
    globally enabled) for the chauthtok only (to store modified creds).

    I'm going to check in a modified version of your patch.

    Thanks,
    Guenther


    --
    G√ľnther Deschner GPG-ID: 8EE11688
    Red Hat gdeschner@redhat.com
    Samba Team gd@samba.org


+ Reply to Thread