[Bug 988520] Re: After failed auth, subsequent auths in same context fail

[Russ Allbery]

I have a test case, but I'm not sure you'll particularly enjoy it, since
it isn't in a neatly isolated form.  But if you:

    git clone git://git.eyrie.org/kerberos/pam-krb5.git
    cd pam-krb5
    ./autogen
    ./configure

and then add the username and password of an account in a test Kerberos
realm to tests/config/password following the instructions in
tests/config/README, and then run:

    make check

you will find that the bad-authtok test fails as follows:

module/bad-authtok......FAILED 9-10, 13, 34-35, 41-49

This is how I found the problem originally.

The problem is not reproducible without having access to a Kerberos
realm to use to test with, unfortunately, since you have to be able to
try a failed and then successful authetnication to see the problem.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/988520

Title:
  After failed auth, subsequent auths in same context fail

Status in “krb5” package in Ubuntu:
  Incomplete
Status in “krb5” package in Debian:
  New

Bug description:
  MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in
  the tracking of preauth mechanisms such that, if an authentication
  fails after preauth was requested, all subsequent preauth-required
  authentications in the same Kerberos context will also fail.

  This breaks password change when credentials have expired, and also
  breaks try_first_pass functionality in Kerberos PAM modules.

  Upstream has fixed this problem in their mainline with commit 25822.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/988520/+subscriptions