[Bug 988520] Re: After failed auth, subsequent auths in same context fail

Robie Basak 988520 at bugs.launchpad.net
Tue May 15 03:05:44 UTC 2012 

Russ: thanks for the test case! I've turned this into a script that
doesn't depend on an existing Kerberos realm. But the script does rely
on git.eyrie.org as the current Debian pam-krb5 doesn't appear to have
the test that we need.

I've used the test case to verify that this bug is fixed if I build and
install the latest Debian 1.10.1+dfsg-1 in Ubuntu by hand. Thus this bug
will be fixed in the development release of Ubuntu as soon as we resync
from Debian.

I've also prepared an SRU for precise, test built it, and tested both
upgrade and fresh install using the test case.

** Attachment added: "Test Case"
   https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+attachment/3146878/+files/testcase.sh

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/988520

Title:
  After failed auth, subsequent auths in same context fail

Status in “krb5” package in Ubuntu:
  Triaged
Status in “krb5” package in Debian:
  Fix Released

Bug description:
  SRU Justification

  [Impact]

  If an authentication fails after preauth was requested, all subsequent
  preauth-required authentications in the same Kerberos context will
  also fail. This breaks password change when credentials have expired,
  and also breaks try_first_pass functionality in Kerberos PAM modules.

  [Development Fix]

  New upstream release. Updated in Debian. Pending sync in Ubuntu.
  Verified in Ubuntu manually.

  [Stable Fix]

  Upstream patch cherry-picked. Debdiff attached.

  [Test Case]

  testcase.sh attached.

  [Regression Potential]

  Low: one line patch for missing initialisation written by upstream.


  Original report by Russ Allbery:

  MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in
  the tracking of preauth mechanisms such that, if an authentication
  fails after preauth was requested, all subsequent preauth-required
  authentications in the same Kerberos context will also fail.

  This breaks password change when credentials have expired, and also
  breaks try_first_pass functionality in Kerberos PAM modules.

  Upstream has fixed this problem in their mainline with commit 25822.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+subscriptions

More information about the foundations-bugs mailing list