[PATCH] Do not accept zero-length passwords in the Kerberos provider
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
During internal testing and review, we discovered that the 0.99.1
preview release contained a security bug.
On SSSD configurations using Kerberos 5 for authentication with cached
credentials enabled, users of the Kerberos domain were able to
successfully authenticate with a zero-length password. The kerberos
child process (which performs kerberos auth on behalf of the user in
order to guarantee correct ownership of the credential cache) was
interpreting a zero-length password as an offline authentication attempt
and was generating the special expired credential cache that an offline
login would have instead of authenticating against the KDC. The attached
patch ensures that we do not treat zero-length passwords as successful
offline authentications.
This security flaw exists ONLY in the 0.99.x release candidate series,
and not in 0.7.1 or other stable releases.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAksr62MACgkQeiVVYja6o6PJCwCghXK54OGA2nDVKXkHcGP8h2YY
LAsAnR08vMF5hNtaKXE5CtUwF6tIDC5f
=zb3n
-----END PGP SIGNATURE-----
14 years, 3 months
[PATCH] Fix ldap/krb5 children
by Simo Sorce
A few bugs in ldap and krb5 children where found while investigating a
segfault in the ldap_child caused by a bad memory hierarchy and failed
cleanup.
See the patch description for further changes and cleanups.
Simo.
14 years, 3 months
[PATCH] Fix for #344
by Sumit Bose
Hi,
this patch should fix #344
Currently we recreate non existing ccache files which may results to
problems if the user is still logged in. This patch ignores non existing
ccache files and checks if there are still user processes running.
bye,
Sumit
14 years, 3 months
[PATCH] Do not overwrite valid TGTs when offline
by Sumit Bose
Hi,
this patch should fix #327.
Currently an empty ticket is created if the client is offline. This
patch checks if there already is a ccache file and if it contains a
valid, i.e not expired, TGT. If this is true the ccache file and the TGT
are used.
bye,
Sumit
14 years, 3 months
[PATCH] Handle chauthtok with PAM_PRELIM_CHECK separately
by Sumit Bose
Hi,
this patch should fix #326 "Missing checks in PAM_PRELIM_CHECK"
Currently we collect old and new password in pam_sss and send them
together to the sssd to change to password. But it is expected that
during the first call to pam_sm_chauthtok, when PAM_PRELIM_CHECK is set,
the old password is validated to give a feedback to the user before the
new password is requested.
Please check and test carefully.
bye,
Sumit
14 years, 3 months
[PATCH] Add some missing DEBUG messages
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
getgruid() and getgrnam() both had
DEBUG(6, ("Returning info for group..."
DEBUG messages. This patch adds the same functionality to getpwuid() and
getpwnam() for consistent logging.
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAksqbqIACgkQeiVVYja6o6PpWQCfb4pGaFJPLjEvaXGl4a0n2/hY
j3MAniIdReKjWH3b+EU/O0mkVtftc75S
=xdXW
-----END PGP SIGNATURE-----
14 years, 3 months
[PATCH] Clarify access_provider manpage entry
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
See $SUBJECT
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAksqc5gACgkQeiVVYja6o6Mu8gCcC1xpt107qMlzfjP3jyOufONt
e/EAn1hfuvNk16S1zWCJ8uChZNm0V5lC
=zmRv
-----END PGP SIGNATURE-----
14 years, 3 months
[PATCH] Properly handle EINTR in sss_client
by Stephen Gallagher
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
We were treating all errno responses from poll() as a fatal error. We
need to handle EINTR and retry the poll().
This solves the long-standing (but only recently opened)
https://fedorahosted.org/sssd/ticket/335
- --
Stephen Gallagher
RHCE 804006346421761
Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAksqMJUACgkQeiVVYja6o6MEpwCfT4sc2U12aj16JHc+SK8JOUlR
VGIAnioFt5K4ICF4fyvHGAC8bY+DvjUX
=g67u
-----END PGP SIGNATURE-----
14 years, 3 months