[PATCH 0/1] MR7604: kerberos: Accept NULL password, libkrb5 uses cached credentials in that case.
From: Dmitry Timoshkov dmitry@baikal.ru
Signed-off-by: Dmitry Timoshkov dmitry@baikal.ru --- dlls/kerberos/krb5_ap.c | 2 +- dlls/kerberos/unixlib.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/dlls/kerberos/krb5_ap.c b/dlls/kerberos/krb5_ap.c index 5a5878faf02..a824c5d00c6 100644 --- a/dlls/kerberos/krb5_ap.c +++ b/dlls/kerberos/krb5_ap.c @@ -428,7 +428,7 @@ static NTSTATUS NTAPI kerberos_SpAcquireCredentialsHandle( goto done; } if (!(username = get_username_unixcp( id->User, id->UserLength, id->Domain, id->DomainLength ))) goto done; - if (!(password = get_password_unixcp( id->Password, id->PasswordLength ))) goto done; + if (id->Password && !(password = get_password_unixcp( id->Password, id->PasswordLength ))) goto done; }
if (!(cred_handle = calloc( 1, sizeof(*cred_handle) ))) diff --git a/dlls/kerberos/unixlib.c b/dlls/kerberos/unixlib.c index e5287140e3a..0ca76cc2fd9 100644 --- a/dlls/kerberos/unixlib.c +++ b/dlls/kerberos/unixlib.c @@ -605,7 +605,7 @@ static NTSTATUS init_creds( const char *user_at_domain, const char *password ) krb5_creds creds; krb5_error_code err;
- if (!user_at_domain) return STATUS_SUCCESS; + if (!user_at_domain || !password) return STATUS_SUCCESS; if ((err = p_krb5_init_context( &ctx ))) return krb5_error_to_status( err ); if ((err = p_krb5_parse_name_flags( ctx, user_at_domain, 0, &principal ))) goto done; if ((err = p_krb5_cc_default( ctx, &cache ))) goto done;
If a username is passed to AcquireCredentialsHandle() but no password I would expect an error. Allowing this to succeed means the app might be using credentials for a different user than intended.
On Tue Mar 18 10:51:38 2025 +0000, Hans Leidekker wrote:
If a username is passed to AcquireCredentialsHandle() but no password I would expect an error. Allowing this to succeed means the app might be using credentials for a different user than intended.
According to KRB5_TRACE if password is NULL libkrb5 uses cached ticket for the specified user@domain, so, to me it looks like an intended behaviour.
On Tue Mar 18 10:51:38 2025 +0000, Dmitry Timoshkov wrote:
According to KRB5_TRACE if password is NULL libkrb5 uses cached ticket for the specified user@domain, so, to me it looks like an intended behaviour.
Suppose a handle is acquired for user@domain with non-null password, then if you acquire another handle for user2@domain with null password you get cached credentials for user@domain.
On Tue Mar 18 10:58:18 2025 +0000, Hans Leidekker wrote:
Suppose a handle is acquired for user@domain with non-null password, then if you acquire another handle for user2@domain with null password you get cached credentials for user@domain.
I'd guess that you have such a configuration to verify the described behaviour. Since I don't have access to similar configuration for testing I have nothing to say about this.
This merge request was closed by Dmitry Timoshkov.
-
Dmitry Timoshkov -
Dmitry Timoshkov (@dmitry)
-
Hans Leidekker (@hans)