BTW, my guess is the FreeBSD folk never tested the password-changing/aging
aspect of this PAM_KRB5 module. Either that or this bug mistified them.

Plus there's a another bug in this module, as I mentioned before, in
that it does not copy the null-termination to the krb5_data response
buffers provided by krb5_get_init_password(). This isn't obviously
necessary since the length of the strings is recorded in the krb5_data,
but, unfortunately, krb5_get_init_password() uses strcmp() to compare
the two new passwords (instead of comparing their length and then using
strncmp()).

Sigh...

Nico

On Sun, Mar 04, 2001 at 02:13:36PM -0500, Nicolas Williams wrote:
> Steve,
>
> Yes, I see. Solaris conversation functions expect a pointer to the first
> of a set of contiguous (struct pam_message). Linux-PAM's misc_conv()
> expects a pointer to an array of pointers to (struct pam_message).
>
> What a horrid mistake Sun's developers made. Eeck.
>
> We can probably put in #ifdef'ed fixes for this in all modules that
> prompt for more than one item at a time.
>
> Another possible fix would be to make a module prompt for one item at a
> time. That was something I was already going to make an option in this
> module because CDE's dtgreet only handles a prompt at a time anyways
> (which means dtlogin has to break-up multi-prompts and, I think, it is
> buggy wrt multi-prompts, at least on Solaris 8 BETA_REFRESH [yes, I
> need to upgrade]).
>
> I see no reason why it is necessary or better to send these three prompts at
> once rather than one after the other:
>
> "Password expired. You must change it now."
> "Enter new password"
> "Enter it again"
>
> That would be a simple fix, though it will only work as long as there
> isn't an absolute need to prompt multiple prompts in one go.
>
> Nico

--
_______________________________________________
Pam-list mailing list
Pam-listredhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]