To me it looks like the pam authenticator check miss a check with
pam_acct_mgmt in addition to the pam_authenticate that is already
there, see the attached patch.
myproxy has similar code, and does a similar thing here:
https://sources.debian.org/src/myproxy/6.2.14-2/auth_pam.c/?hl=227#L227
(It checks first with pam_authenticate(), then with pam_acct_mgmt(),
and would fail if account or password is expired).
-- Andreas Rönnquist
gus...@debian.org
From: =?utf-8?q?Andreas_R=C3=B6nnquist?= <gus...@librem.one>
Date: Thu, 11 Aug 2022 14:47:53 +0200
Subject: CVE-2022-26562: Check account validation in addition to
authentication
---
provider/libserver/ECKrbAuth.cpp | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/provider/libserver/ECKrbAuth.cpp b/provider/libserver/ECKrbAuth.cpp
index cce39fb..c539a15 100644
--- a/provider/libserver/ECKrbAuth.cpp
+++ b/provider/libserver/ECKrbAuth.cpp
@@ -129,11 +129,21 @@ ECRESULT ECPAMAuthenticateUser(const char *szPamService,
return KCERR_LOGON_FAILED;
}
res = pam_authenticate(pamh, PAM_SILENT);
- pam_end(pamh, res);
if (res != PAM_SUCCESS) {
*lpstrError = pam_strerror(nullptr, res);
+ pam_end(pamh, res);
return KCERR_LOGON_FAILED;
}
+
+ res = pam_acct_mgmt(pamh, PAM_SILENT);
+ if (res != PAM_SUCCESS) {
+ *lpstrError = pam_strerror(nullptr, res);
+ pam_end(pamh, res);
+ return KCERR_LOGON_FAILED;
+ }
+
+ pam_end(pamh, res);
+
return erSuccess;
}
