From: "Дилян Палаузов" In-Reply-To: User-Agent: Evolution 3.36.5 (3.36.5-1.fc32) X-RT-Original-Encoding: utf-8 Content-Transfer-Encoding: 8bit content-type: text/plain; charset="utf-8" Subject: Re: [krbdev.mit.edu #8949] Provide Means to Prevent a User Changing its Password References: <6431e77f71529406c93d3ee64caf1a15e6b4f561.camel@aegee.org> Date: Thu, 17 Sep 2020 14:53:19 +0300 From dilyan.palauzov@aegee.org Thu Sep 17 07:53:27 2020 Dkim-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aegee.org; s=k4096; t=1600343606; i=dkim+MSA-tls@aegee.org; bh=9y5bq0hne9R+PlQPR0UXK9/BjRZdFneMTvEy2OnyOC4=; h=Subject:From:To:Date:In-Reply-To:References; b=UiS3ALbALvXgKt/1Qv06YBIcOWsHBbY42GncDUeJR6Dav/8xK/HyoKk8JKlSaiwqN zGQD7B4rO+cKTPXckvrvhDLqIKEH49gECR/iEcbAtpJZ8QWb9Me9vG33mZFH40MZ+p YyMSfxC/xc8tJ4qyUMqbnCjTlWf3f+LdO7987Xzi/eLwXH7bUNcVzQKglHRw4jNHS3 7vH1dspQnC9HhwD1Dxo+G7qgTyaV6prVzA5stLLK6nY1FPaxuzF54O2Q1e4cXn9WgE omMEbUEjezWNIbQaQ+fBuxnaFeUpV/kD1YIIoVdqTh1q/VrTgzCyUC6J7Cjalz49fN 2kBEgakcp3lh2sLOBjD95iaaST11cVQ20ke6smLD1VAbJSUMXVoF0HYX+KH/vtp9Io Azr8AkDp1XtawyItWaYOq1JeXhnA+uaP8ppJk5NGpmgcJrPbJUbu/uSDN5FsUaczqj xIYC2hQPrnEmqn0WF5Lobs13PRZLRkQSOPYcYsjqidSJCT6Lg2Ib41jIJLBe7y8pMM Pl7qF/q1su8pFxRsFW2cXWCESn64Qj59HYk0cFSpCL2zoJDAcVXXW6w2ytI5cwRpLT y28MJ9fPmhVrpUnt2RAQFxwYdjq/OMLjPplP5eTeksifYwKO4+8W7tlyegCQ4s33ku Ys7/rAcFqtJgGC3SdYgQACLM= Authentication-Results: mail.aegee.org/08HBrPBp2097517; auth=pass (LOGIN) smtp.auth=didopalauzov@aegee.org Authentication-Results: mail.aegee.org/08HBrPBp2097517; dkim=none Message-ID: <51ea1f29e3fcafbbf4853cc11e58eb8e19da2c3d.camel@aegee.org> Received: from mail.aegee.org (mail.aegee.org [144.76.142.78]) by krbdev.mit.edu (Postfix) with ESMTPS id 95B31401C8 for ; Thu, 17 Sep 2020 07:53:27 -0400 (EDT) Received: from localhost.localdomain (87.118.146.153.topnet.bg [87.118.146.153] (may be forged)) (authenticated bits=0) by mail.aegee.org (8.15.2/8.15.2) with ESMTPSA id 08HBrPBp2097517 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Thu, 17 Sep 2020 11:53:26 GMT Return-Path: X-RT-Interface: Email To: rt@krbdev.mit.edu X-RT-Incoming-Encryption: Not encrypted MIME-Version: 1.0 RT-Message-ID: Content-Length: 2093 Hello, thanks for your answer. Eventually I changed the kadm5_chpass_principal_3() function as shown below. The disadvantage of the SPAKE preauthentication for realms exposed over internet is, that for some accounts there are constants experiments to guess the password from around the globe. Eventually, the accounts get locked, if the guesses failed. Instead I tunnel everything over TLS and enforce password change every three months. Regards Dilyan --- src/lib/kadm5/srv/svr_principal.c.orig 2020-09-16 23:51:48.892495992 +0300 +++ src/lib/kadm5/srv/svr_principal.c 2020-09-17 00:02:56.700937586 +0300 @@ -1347,6 +1347,7 @@ krb5_kvno act_kvno, hist_kvno; int new_n_ks_tuple = 0; krb5_key_salt_tuple *new_ks_tuple = NULL; + char *principal_str; CHECK_HANDLE(server_handle); @@ -1361,6 +1362,13 @@ principal, hist_princ)) == TRUE) return KADM5_PROTECT_PRINCIPAL; + krb5_unparse_name(handle->context, principal, &principal_str); + if (strncmp(principal_str, "aaa@", 4) == 0) { + krb5_free_unparsed_name(handle->context, principal_str); + return KADM5_PROTECT_PRINCIPAL; + } + krb5_free_unparsed_name(handle->context, principal_str); + if ((ret = kdb_get_entry(handle, principal, &kdb, &adb))) return(ret); В 18:37 -0400 на 16.09.2020 (ср), Greg Hudson via RT написа: > Note that every user of the demo account will be able to decrypt > every other > users' communications, unless SPAKE preauth is used (and even then an > MITM > attack is likely possible). > > I believe this use case is currently possible in three suboptimal > ways, the > first of which is probably easiest: > > 1. Set a long min_life on the principal. > > 2. Provide a password quality plugin module which always fails the > quality > check for this principal. > > 3. Disable the "self" kadm5_auth module, and instead provide a new > module which > enables self-service for every principal but this one. > >