[Bug 988520] Re: After failed auth, subsequent auths in same context fail

Robie Basak 988520 at bugs.launchpad.net
Wed May 23 06:56:16 UTC 2012 

Verified fixed on Quantal. Just need the SRU for Precise now. Note that
the test script fails some other tests. This bug addresses the "module
/bad-authtok" test only.

** Description changed:

  SRU Justification
  
  [Impact]
  
  If an authentication fails after preauth was requested, all subsequent
  preauth-required authentications in the same Kerberos context will also
  fail. This breaks password change when credentials have expired, and
  also breaks try_first_pass functionality in Kerberos PAM modules.
  
  [Development Fix]
  
- New upstream release. Updated in Debian. Pending sync in Ubuntu.
- Verified in Ubuntu manually.
+ New upstream release. Updated in Debian. Synced in Ubuntu. Verified
+ fixed on Quantal using test case below.
  
  [Stable Fix]
  
  Upstream patch cherry-picked. Debdiff attached.
  
  [Test Case]
  
  testcase.sh attached.
  
  [Regression Potential]
  
  Low: one line patch for missing initialisation written by upstream.
  
  
  Original report by Russ Allbery:
  
  MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in
  the tracking of preauth mechanisms such that, if an authentication fails
  after preauth was requested, all subsequent preauth-required
  authentications in the same Kerberos context will also fail.
  
  This breaks password change when credentials have expired, and also
  breaks try_first_pass functionality in Kerberos PAM modules.
  
  Upstream has fixed this problem in their mainline with commit 25822.

** Changed in: krb5 (Ubuntu)
       Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/988520

Title:
  After failed auth, subsequent auths in same context fail

Status in “krb5” package in Ubuntu:
  Fix Released
Status in “krb5” package in Debian:
  Fix Released

Bug description:
  SRU Justification

  [Impact]

  If an authentication fails after preauth was requested, all subsequent
  preauth-required authentications in the same Kerberos context will
  also fail. This breaks password change when credentials have expired,
  and also breaks try_first_pass functionality in Kerberos PAM modules.

  [Development Fix]

  New upstream release. Updated in Debian. Synced in Ubuntu. Verified
  fixed on Quantal using test case below.

  [Stable Fix]

  Upstream patch cherry-picked. Debdiff attached.

  [Test Case]

  testcase.sh attached.

  [Regression Potential]

  Low: one line patch for missing initialisation written by upstream.


  Original report by Russ Allbery:

  MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in
  the tracking of preauth mechanisms such that, if an authentication
  fails after preauth was requested, all subsequent preauth-required
  authentications in the same Kerberos context will also fail.

  This breaks password change when credentials have expired, and also
  breaks try_first_pass functionality in Kerberos PAM modules.

  Upstream has fixed this problem in their mainline with commit 25822.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+subscriptions

More information about the foundations-bugs mailing list