>From 6e91d0b307b05030042d2a2b1a12c9555a41fdce Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 18 Mar 2014 16:48:11 +0100
Subject: [PATCH] KRB5: Do not attemtp to get a TGT after a password change
 using OTP

https://fedorahosted.org/sssd/ticket/2271

The current krb5_child code attempts to get a TGT for the convenience of
the user using the new password after a password change operation.
However, an OTP should never be used twice, which means we can't perform
the kinit operation after chpass is finished. Instead, we only print a
DEBUG information instructing the user to kinit manually.
---
 src/providers/krb5/krb5_child.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 1bff0e99b586e0b1a54a660320f91cdab275fbe1..6e269b0a04aea9f4e73cc1a5f8d32c2243d933d0 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -45,6 +45,7 @@ struct krb5_req {
     krb5_principal princ;
     char* name;
     krb5_creds *creds;
+    bool otp;
     krb5_get_init_creds_opt *options;
 
     struct pam_data *pd;
@@ -287,6 +288,8 @@ static krb5_error_code answer_otp(krb5_context ctx,
         goto done;
     }
 
+    kr->otp = true;
+
     /* Validate our assumptions about the contents of authtok. */
     ret = sss_authtok_get_password(kr->pd->authtok, &pwd, &len);
     if (ret != EOK)
@@ -612,6 +615,8 @@ static errno_t k5c_send_data(struct krb5_req *kr, int fd, errno_t error)
     size_t len;
     int ret;
 
+    DEBUG(SSSDBG_FUNC_DATA, "Received error %d\n", error);
+
     ret = pack_response_packet(kr, error, kr->pd->resp_list, &buf, &len);
     if (ret != EOK) {
         DEBUG(SSSDBG_CRIT_FAILURE, "pack_response_packet failed.\n");
@@ -1022,6 +1027,8 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
     uint8_t *msg;
 
     DEBUG(SSSDBG_TRACE_LIBS, "Password change operation\n");
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "chpass is%s using OTP\n", kr->otp ? "" : " not");
 
     ret = sss_authtok_get_password(kr->pd->authtok, &password, NULL);
     if (ret != EOK) {
@@ -1046,6 +1053,8 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
                                         prompter, kr, 0,
                                         SSSD_KRB5_CHANGEPW_PRINCIPAL,
                                         kr->options);
+    DEBUG(SSSDBG_TRACE_INTERNAL,
+          "chpass is%s using OTP\n", kr->otp ? "" : " not");
     if (kerr != 0) {
         ret = pack_user_info_chpass_error(kr->pd, "Old password not accepted.",
                                           &msg_len, &msg);
@@ -1145,6 +1154,14 @@ static errno_t changepw_child(struct krb5_req *kr, bool prelim)
 
     krb5_free_cred_contents(kr->ctx, kr->creds);
 
+    if (kr->otp == true) {
+        DEBUG(SSSDBG_IMPORTANT_INFO,
+              ("Password change succeeded but currently "
+               "post-chpass kinit is not implemented\n"));
+        sss_authtok_set_empty(kr->pd->newauthtok);
+        return map_krb5_error(kerr);
+    }
+
     kerr = get_and_save_tgt(kr, newpassword);
 
     sss_authtok_set_empty(kr->pd->newauthtok);
-- 
1.8.5.3