After failed auth, subsequent auths in same context fail
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Debian) |
Fix Released
|
Unknown
|
|||
krb5 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Precise |
Fix Released
|
Medium
|
Unassigned |
Bug Description
SRU Justification
[Impact]
If an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail. This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
[Development Fix]
New upstream release. Updated in Debian. Synced in Ubuntu. Verified fixed on Quantal using test case below.
[Stable Fix]
Upstream patch cherry-picked. Debdiff attached.
[Test Case]
testcase.sh attached.
[Regression Potential]
Low: one line patch for missing initialisation written by upstream.
Original report by Russ Allbery:
MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.
This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.
Upstream has fixed this problem in their mainline with commit 25822.
Related branches
Changed in krb5 (Debian): | |
status: | Unknown → New |
Changed in krb5 (Debian): | |
status: | New → Fix Committed |
Changed in krb5 (Debian): | |
status: | Fix Committed → Fix Released |
description: | updated |
Changed in krb5 (Ubuntu): | |
status: | Incomplete → Triaged |
Changed in krb5 (Ubuntu Precise): | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: |
added: verification-done removed: verification-needed |
Thanks for taking the time to report this bug in Ubuntu.
As 12.04 is running 1.10+dfsg~beta1 we will need to pickup this fix.
Fix: http:// src.mit. edu/fisheye/ changelog/ krb5/?cs= 25822
Upstream bug: http:// krbdev. mit.edu/ rt/Ticket/ Display. html?id= 7119