action=update broken
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| libpam-ccreds (Ubuntu) |
Confirmed
|
Medium
|
Unassigned | ||
Bug Description
Binary package hint: libpam-ccreds
The suggested configuration, at <https:/
This makes sense, because if the user entered an invalid password and the LDAP server is contactable, the cached credentials may be invalid[1].
However my tests reveal action=update is a NOP action.
This seems to come from the following line within cc_lib.cc
if (memcmp(data, data_stored, datalength) == 0 || !credentials) {
... do delete ...
}
I suspect the memcmp checks the password matches the cached value (no it doesn't, the pam configuration makes sure of this). credentials set to the string I am using to log in (I assume this is correct?). As such, the if test fails, and the deletion is skipped.
This behaviour, if somehow correct, is not documented anywhere I can see.
(note I am using the pam configuration from another bug report <https:/
Notes
[1] of course it could also be used as a DOS attack - e.g. connect somebodies computer up to the network, type an invalid password, that user won't be able to log in any more without using the network the first time. Not sure what to do about this.
| Changed in libpam-ccreds (Ubuntu): | |
| importance: | Undecided → Medium |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in libpam-ccreds (Ubuntu): | |
| status: | New → Confirmed |
| Changed in libpam-ccreds (Ubuntu): | |
| status: | Confirmed → New |
| Changed in libpam-ccreds (Ubuntu): | |
| status: | New → Confirmed |
| Patrick Banholzer (patrick-banholzer) wrote | #3 |
Status changed to 'Confirmed' because the bug affects multiple users.