RT RT/krbdev.mit.edu: Ticket #6888 No explanation of failed passwd entry if REQUIRES_PWCHANGE is set Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
6888
Status
resolved
Worked
0 min
Priority
50/0
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-libs
Tags
Version_reported
Version_Fixed
  • 1.9.2
Target_Version
  • 1.9.1
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Mon Mar 28 17:31:41 2011
Starts: Not set
Started: Not set
Last Contact: Thu Jun 9 17:08:47 2011
Due: Not set
Updated: Wed Dec 16 18:02:57 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 arnolds@mpa-garching.mpg.de
Cc
 
AdminCc
 
 

 More about arnolds@mpa-garching.mpg.de  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Mar 28 17:31:41 2011  RT_System - Ticket created    
     
From krb5-bugs-incoming-bounces@PCH.mit.edu  Mon Mar 28 17:31:41 2011
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id EC97A3E640;
	Mon, 28 Mar 2011 17:31:40 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SLVeue025028;
	Mon, 28 Mar 2011 17:31:40 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SFahHD025419
	for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 28 Mar 2011 11:36:44 -0400
Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU
	[18.7.68.34])
	by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id p2SFUqP0007516
	for <krb5-bugs@mit.edu>; Mon, 28 Mar 2011 11:36:40 -0400
X-AuditID: 12074422-b7ccdae000003dab-a2-4d90ab062cec
Authentication-Results: symauth.service.identifier
Received: from mpadmz-3.MPA-Garching.MPG.DE (mpadmz-3.MPA-Garching.MPG.DE
	[130.183.82.19])
	by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP
	id 48.CF.15787.60BA09D4; Mon, 28 Mar 2011 11:36:39 -0400 (EDT)
Received: from ncd-11.MPA-Garching.MPG.DE (ncd-11.MPA-Garching.MPG.DE
	[130.183.84.20])
	by mpadmz-3.MPA-Garching.MPG.DE (8.14.4/8.14.4) with ESMTP id
	p2SFaXTL011897
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 28 Mar 2011 17:36:33 +0200
Received: (from arnolds@localhost)
	by ncd-11.MPA-Garching.MPG.DE (8.14.4/8.14.4/Submit) id p2SFaXeY013650;
	Mon, 28 Mar 2011 17:36:33 +0200
Date: Mon, 28 Mar 2011 17:36:33 +0200
Message-Id: <201103281536.p2SFaXeY013650@ncd-11.MPA-Garching.MPG.DE>
To: krb5-bugs@mit.edu
Subject: No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
From: arnolds@mpa-garching.mpg.de
X-send-pr-version: 3.99
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.4
	(mpadmz-3.MPA-Garching.MPG.DE [130.183.82.19]);
	Mon, 28 Mar 2011 17:36:33 +0200 (CEST)
X-Brightmail-Tracker:
H4sIAAAAAAAAA+NgFnrBIsWRWlGSWpSXmKPExsXStD1IWJd99QRfg00XxS0aHh5nd2D0aDpz
	lDmAMYrLJiU1J7MstUjfLoErY/q6bWwF2wQrTpz4w9LAeIK3i5GTQ0LARGLn2lvsIDajgJHE
	7nOvWCHiYhIX7q1n62Lk4hASeMwo0TixiRnC6WWSuHloMyOE08cosWfyfKB2Dg4WAVWJl3dc
	QLp5BVwkpt1YCTZVREBU4uXfYywgJcICXhKPHwuBhNkEFCVWPn0PViIE1LnxSDsziM0sIC/x
	+90KqCPEJXZsP80OskpCYB6jxL62lWwTGPkXMDKsYpRNya3SzU3MzClOTdYtTk7My0st0jXV
	y80s0UtNKd3ECAwaIXYXpR2MPw8qHWIU4GBU4uH9Hd7vK8SaWFZcmXuIUZKDSUmUd8byCb5C
	fEn5KZUZicUZ8UWlOanFhxglOJiVRHgPNQLleFMSK6tSi/JhUtIcLErivHMk1X2FBNITS1Kz
	U1MLUotgskwc7IcYZTg4lCR481YBdQsWpaanVqRl5pQgq+EEEVwga3iA1uiDFPIWFyTmFmem
	QxSdYtTluH7q6V5GIZa8/LxUKXHeApAiAZCijNI8uGGgBFD/////S4yyUsK8jAwMDEI8QNcA
	AwEhD0ogrxjFgQEgzBsLMoUnM68EbtMroCOYgI4IVAI7oiQRISXVwNgv6vz8yMkO/q1Xq/iO
	LwkNlmnZ/mhDzK/GLuHTJYVepyNOPVyZE3+PczbX2jY3oTfNKhsfL/D+z3yczWSrtktv43GT
	lo9/t3Cpyoode9ekr3ulqsz5waMzDxczCV6e3meX1iOoVb/5+o9H718fuc/s9CJOLNgq23Eq
	4+TEqiiNuslNcQd4JiuxFGckGmoxFxUnAgD42h+p+wIAAA==
X-Mailman-Approved-At: Mon, 28 Mar 2011 17:31:40 -0400
Cc: arnolds@mpa-garching.mpg.de
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: arnolds@mpa-garching.mpg.de
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


>Submitter-Id:	net
>Originator:	Heinz-Ado Arnolds
>Organization:
>Confidential:	no
>Synopsis:	No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
>Severity:	non-critical
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.9
>Environment:
System: Linux ncd-11 2.6.37.4 #1 SMP PREEMPT Mon Mar 21 17:46:54 CET 2011 x86_64
GNU/Linux
Architecture: x86_64

>Description:

Dear Ladies and Gentlemen,

I have found a problem when a principal is maked with the attribute
"REQUIRES_PWCHANGE". If a user tries to change the password with his first login,
violations to the password requirements are not reported. That might be very
unconvenient for an unexpierenced user. While for example kpasswd comments on a
character class failure, the same is handled without any error message by forced
password change.

Reason for this behaviour is that krb5_change_password (called by
krb5_get_init_creds_password()) gives an KRB5_KPASSWD_HARDERROR if requirements are
not met and the password entry loop is left immediately without any message (i.e. Too
many authentication failures for ...).

Enclosed you'll find a patch to gic_pwd.d which fixes that situation. I'm sure that
you'll know quite more nifty solutions for fixing that.

Thanks a lot for your effort in developing krb5 an kind regard,

Ado

>How-To-Repeat:

see above
>Fix:

diff -ur krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c krb5-1.9/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c    2010-12-01 03:16:37.000000000 +0100
+++ krb5-1.9/src/lib/krb5/krb/gic_pwd.c 2011-03-28 17:12:50.000000000 +0200
@@ -401,7 +401,12 @@

             ret = KRB5_CHPW_FAIL;

-            if (result_code != KRB5_KPASSWD_SOFTERROR) {
+            /* don't finally fail (show error and try again) if character
+               class requirements were not met */
+            if (result_code != KRB5_KPASSWD_SOFTERROR &&
+                !(result_code == KRB5_KPASSWD_HARDERROR &&
+                  !strncmp(result_string.data, "New password does not have enough
character classes", 51) )
+                ) {
                 free(result_string.data);
                 goto cleanup;
             }


Download (untitled) 5.3k
      Mon Mar 28 17:31:42 2011  RT_System - Component krb5-libs added    
      Tue Mar 29 18:39:33 2011  ghudson - Correspondence added    
     
I think this is actually a server bug.  The kpasswd server should be
returning a soft error on a password quality failure and a hard error
otherwise.  It was doing the right thing up until 1.7 when RFC 3244 was
implemented, at which point the result codes were accidentally switched.


Download (untitled) 286b
      Tue Mar 29 18:44:31 2011  ghudson - Given to ghudson    
      Tue Mar 29 18:44:31 2011  ghudson - Target_Version 1.9.1 added    
      Tue Mar 29 18:44:31 2011  ghudson - Status changed from open to review    
      Tue Mar 29 18:44:31 2011  ghudson - Tags pullup added    
      Tue Mar 29 18:44:31 2011  ghudson - Correspondence added    
     
From: ghudson@mit.edu
Subject: SVN Commit


In r21175 (on the mskrb branch, merged in r21690) the result codes for
password quality and other errors were accidentally reversed.  Fix
them so that password quality errors generate a "soft" failure and
other errors generate a "hard" failure, as Heimdal and Microsoft do.
Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password
quality error.


https://github.com/krb5/krb5/commit/6f94401ee3b0bfb1d7262fccbd794108fac3aa92
Commit By: ghudson
Revision: 24755
Changed Files:
U   trunk/src/kadmin/server/schpw.c


Download (untitled) 520b
      Thu Jun  9 17:08:47 2011  tlyu - Status changed from review to resolved    
      Thu Jun  9 17:08:47 2011  tlyu - Version_Fixed 1.9.2 added    
      Thu Jun  9 17:08:47 2011  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: SVN Commit


pull up r24755 from trunk

 ------------------------------------------------------------------------
 r24755 | ghudson | 2011-03-29 18:44:30 -0400 (Tue, 29 Mar 2011) | 11 lines

 ticket: 6888
 target_version: 1.9.1
 tags: pullup

 In r21175 (on the mskrb branch, merged in r21690) the result codes for
 password quality and other errors were accidentally reversed.  Fix
 them so that password quality errors generate a "soft" failure and
 other errors generate a "hard" failure, as Heimdal and Microsoft do.
 Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password
 quality error.

https://github.com/krb5/krb5/commit/a1d3e7b934225c69d8c1817084c477564df675ec
Commit By: tlyu
Revision: 24952
Changed Files:
U   branches/krb5-1-9/src/kadmin/server/schpw.c


Download (untitled) 764b
      Wed Dec 16 18:02:57 2015  tlyu - Keyword pullup deleted