Re: Logical hole in pam_sm_chauthtok()and winbindd_dual_pam_chauthtok()? - Samba

This is a discussion on Re: Logical hole in pam_sm_chauthtok()and winbindd_dual_pam_chauthtok()? - Samba ; Guenther: Thank you for your explanation of the problem, I understand it. I'll post the modified patch as soon as possible. Thanks! >>> Guenther Deschner 06/06/08 11:58 PM >>> Bo Yang wrote: > Hi, All: > > There is a ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: Logical hole in pam_sm_chauthtok()and winbindd_dual_pam_chauthtok()?

  1. Re: Logical hole in pam_sm_chauthtok()and winbindd_dual_pam_chauthtok()?

    Guenther:

    Thank you for your explanation of the problem, I understand it.

    I'll post the modified patch as soon as possible.

    Thanks!

    >>> Guenther Deschner 06/06/08 11:58 PM >>>

    Bo Yang wrote:
    > Hi, All:
    >
    > There is a logical hole in pam_sm_chauthtok() and winbindd_dual_pam_chauthtok().
    > In pam_sm_chauthtok(), WINBIND_CACHED_LOGIN is cleared, which causes WBFLAG_PAM_CACHED_LOGIN
    > cleared. But in winbindd_dual_pam_chauthtok(),
    >
    > if (NT_STATUS_IS_OK(result) && (state->request.flags & WBFLAG_PAM_CACHED_LOGIN)) {
    > Update cached credentials.
    > }
    > But WBFLAG_PAM_CACHED_LOGIN is cleared, therefore, cached credential is never updated when password is
    > changed.
    >
    > Patches for v3-0-test, v3-2-test, v3-3-test in attachment.
    >
    > Please review it.


    The idea behind disabling the cached creds flag was to not let the user
    type three passwords before getting noticed that the DC is unavailable,
    therefor that flag should remain turned off for auth (to make sure we're
    really verifiying the creds against a living DC) and then turned on (if
    globally enabled) for the chauthtok only (to store modified creds).

    I'm going to check in a modified version of your patch.

    Thanks,
    Guenther


    --
    Günther Deschner GPG-ID: 8EE11688
    Red Hat gdeschner@redhat.com
    Samba Team gd@samba.org


  2. Re: Logical hole inpam_sm_chauthtok() and winbindd_dual_pam_chauthtok()?

    Bo Yang wrote:
    > Guenther:
    >
    > Thank you for your explanation of the problem, I understand it.
    >
    > I'll post the modified patch as soon as possible.


    Eh, I'm afraid I commited a modified patch already, sorry

    But thanks for catching this!

    Guenther

    --
    Günther Deschner GPG-ID: 8EE11688
    Red Hat gdeschner@redhat.com
    Samba Team gd@samba.org


+ Reply to Thread