From bjaspan@MIT.EDU Mon Mar 17 12:28:35 1997 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id MAA02303 for ; Mon, 17 Mar 1997 12:28:34 -0500 Received: from BEEBLEBROX.MIT.EDU by MIT.EDU with SMTP id AA12880; Mon, 17 Mar 97 12:28:27 EST Received: by beeblebrox.MIT.EDU (940816.SGI.8.6.9/4.7) id RAA09448; Mon, 17 Mar 1997 17:28:34 GMT Message-Id: <199703171728.RAA09448@beeblebrox.MIT.EDU> Date: Mon, 17 Mar 1997 17:28:34 GMT From: bjaspan@MIT.EDU Reply-To: bjaspan@MIT.EDU To: krb5-bugs@MIT.EDU Subject: kadm5_randkey_principal does not store old key in history X-Send-Pr-Version: 3.99 >Number: 397 >Category: krb5-admin >Synopsis: kadm5_randkey_principal does not store old key in history >Confidential: no >Severity: serious >Priority: low >Responsible: bjaspan >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Mon Mar 17 12:29:00 EST 1997 >Last-Modified: Sun Mar 01 21:47:01 EST 1998 >Originator: Barry Jaspan >Organization: mit >Release: 1.0-development >Environment: System: IRIX beeblebrox 5.3 02091401 IP22 mips >Description: The current implementation of kadm5_randkey_principal does not store the current key in the key history before replacing it with a new random key. This means that a principal can randomize its password and then re-select that password, getting around the password history. Actually, I'm not convinced this really matters. Password history without password minimum life is meaningless. If you have a pw min_life, then randomizing your key really isn't practical, because then you do not have a password to type for the duration of min_life. So, perhaps the code should be fixed, or kadm5/api-funcspec.tex should be updated not to say that randkey updates pw history. Not sure which. >How-To-Repeat: >Fix: >Audit-Trail: From: Tom Yu To: Barry Jaspan Cc: krb5-bugs@MIT.EDU Subject: Re: krb5-admin/397: kadm5_randkey_principal does not store old key in history Date: Sun, 1 Mar 1998 21:46:44 -0500 `Tom Yu' made changes to this PR. --- /tmp/gnatsa005GP Sun Mar 1 21:46:10 1998 +++ /tmp/gnatsb005GP Sun Mar 1 21:46:35 1998 @@ -16,7 +16,7 @@ >Synopsis: kadm5_randkey_principal does not store old key in history >Confidential: no >Severity: serious ->Priority: medium +>Priority: low >Responsible: bjaspan >State: open >Class: sw-bug >Unformatted: