From krb5-bugs-incoming-bounces@PCH.mit.edu Mon Mar 28 17:31:41 2011
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id EC97A3E640;
Mon, 28 Mar 2011 17:31:40 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SLVeue025028;
Mon, 28 Mar 2011 17:31:40 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SFahHD025419
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 28 Mar 2011 11:36:44 -0400
Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU
[18.7.68.34])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id p2SFUqP0007516
for <krb5-bugs@mit.edu>; Mon, 28 Mar 2011 11:36:40 -0400
X-AuditID: 12074422-b7ccdae000003dab-a2-4d90ab062cec
Authentication-Results: symauth.service.identifier
Received: from mpadmz-3.MPA-Garching.MPG.DE (mpadmz-3.MPA-Garching.MPG.DE
[130.183.82.19])
by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP
id 48.CF.15787.60BA09D4; Mon, 28 Mar 2011 11:36:39 -0400 (EDT)
Received: from ncd-11.MPA-Garching.MPG.DE (ncd-11.MPA-Garching.MPG.DE
[130.183.84.20])
by mpadmz-3.MPA-Garching.MPG.DE (8.14.4/8.14.4) with ESMTP id
p2SFaXTL011897
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Mon, 28 Mar 2011 17:36:33 +0200
Received: (from arnolds@localhost)
by ncd-11.MPA-Garching.MPG.DE (8.14.4/8.14.4/Submit) id p2SFaXeY013650;
Mon, 28 Mar 2011 17:36:33 +0200
Date: Mon, 28 Mar 2011 17:36:33 +0200
Message-Id: <201103281536.p2SFaXeY013650@ncd-11.MPA-Garching.MPG.DE>
To: krb5-bugs@mit.edu
Subject: No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
From: arnolds@mpa-garching.mpg.de
X-send-pr-version: 3.99
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.4
(mpadmz-3.MPA-Garching.MPG.DE [130.183.82.19]);
Mon, 28 Mar 2011 17:36:33 +0200 (CEST)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBIsWRWlGSWpSXmKPExsXStD1IWJd99QRfg00XxS0aHh5nd2D0aDpz
lDmAMYrLJiU1J7MstUjfLoErY/q6bWwF2wQrTpz4w9LAeIK3i5GTQ0LARGLn2lvsIDajgJHE
7nOvWCHiYhIX7q1n62Lk4hASeMwo0TixiRnC6WWSuHloMyOE08cosWfyfKB2Dg4WAVWJl3dc
QLp5BVwkpt1YCTZVREBU4uXfYywgJcICXhKPHwuBhNkEFCVWPn0PViIE1LnxSDsziM0sIC/x
+90KqCPEJXZsP80OskpCYB6jxL62lWwTGPkXMDKsYpRNya3SzU3MzClOTdYtTk7My0st0jXV
y80s0UtNKd3ECAwaIXYXpR2MPw8qHWIU4GBU4uH9Hd7vK8SaWFZcmXuIUZKDSUmUd8byCb5C
fEn5KZUZicUZ8UWlOanFhxglOJiVRHgPNQLleFMSK6tSi/JhUtIcLErivHMk1X2FBNITS1Kz
U1MLUotgskwc7IcYZTg4lCR481YBdQsWpaanVqRl5pQgq+EEEVwga3iA1uiDFPIWFyTmFmem
QxSdYtTluH7q6V5GIZa8/LxUKXHeApAiAZCijNI8uGGgBFD/////S4yyUsK8jAwMDEI8QNcA
AwEhD0ogrxjFgQEgzBsLMoUnM68EbtMroCOYgI4IVAI7oiQRISXVwNgv6vz8yMkO/q1Xq/iO
LwkNlmnZ/mhDzK/GLuHTJYVepyNOPVyZE3+PczbX2jY3oTfNKhsfL/D+z3yczWSrtktv43GT
lo9/t3Cpyoode9ekr3ulqsz5waMzDxczCV6e3meX1iOoVb/5+o9H718fuc/s9CJOLNgq23Eq
4+TEqiiNuslNcQd4JiuxFGckGmoxFxUnAgD42h+p+wIAAA==
X-Mailman-Approved-At: Mon, 28 Mar 2011 17:31:40 -0400
Cc: arnolds@mpa-garching.mpg.de
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: arnolds@mpa-garching.mpg.de
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Architecture: x86_64
Dear Ladies and Gentlemen,
I have found a problem when a principal is maked with the attribute "REQUIRES_PWCHANGE". If a user tries to change the password with his first login, violations to the password requirements are not reported. That might be very unconvenient for an unexpierenced user. While for example kpasswd comments on a character class failure, the same is handled without any error message by forced password change.
Reason for this behaviour is that krb5_change_password (called by krb5_get_init_creds_password()) gives an KRB5_KPASSWD_HARDERROR if requirements are not met and the password entry loop is left immediately without any message (i.e. Too many authentication failures for ...).
Enclosed you'll find a patch to gic_pwd.d which fixes that situation. I'm sure that you'll know quite more nifty solutions for fixing that.
Thanks a lot for your effort in developing krb5 an kind regard,
Ado
see above
diff -ur krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c krb5-1.9/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c 2010-12-01 03:16:37.000000000 +0100
+++ krb5-1.9/src/lib/krb5/krb/gic_pwd.c 2011-03-28 17:12:50.000000000 +0200
@@ -401,7 +401,12 @@
ret = KRB5_CHPW_FAIL;
- if (result_code != KRB5_KPASSWD_SOFTERROR) {
+ /* don't finally fail (show error and try again) if character
+ class requirements were not met */
+ if (result_code != KRB5_KPASSWD_SOFTERROR &&
+ !(result_code == KRB5_KPASSWD_HARDERROR &&
+ !strncmp(result_string.data, "New password does not have enough character classes", 51) )
+ ) {
free(result_string.data);
goto cleanup;
}
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id EC97A3E640;
Mon, 28 Mar 2011 17:31:40 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SLVeue025028;
Mon, 28 Mar 2011 17:31:40 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SFahHD025419
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 28 Mar 2011 11:36:44 -0400
Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU
[18.7.68.34])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id p2SFUqP0007516
for <krb5-bugs@mit.edu>; Mon, 28 Mar 2011 11:36:40 -0400
X-AuditID: 12074422-b7ccdae000003dab-a2-4d90ab062cec
Authentication-Results: symauth.service.identifier
Received: from mpadmz-3.MPA-Garching.MPG.DE (mpadmz-3.MPA-Garching.MPG.DE
[130.183.82.19])
by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP
id 48.CF.15787.60BA09D4; Mon, 28 Mar 2011 11:36:39 -0400 (EDT)
Received: from ncd-11.MPA-Garching.MPG.DE (ncd-11.MPA-Garching.MPG.DE
[130.183.84.20])
by mpadmz-3.MPA-Garching.MPG.DE (8.14.4/8.14.4) with ESMTP id
p2SFaXTL011897
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Mon, 28 Mar 2011 17:36:33 +0200
Received: (from arnolds@localhost)
by ncd-11.MPA-Garching.MPG.DE (8.14.4/8.14.4/Submit) id p2SFaXeY013650;
Mon, 28 Mar 2011 17:36:33 +0200
Date: Mon, 28 Mar 2011 17:36:33 +0200
Message-Id: <201103281536.p2SFaXeY013650@ncd-11.MPA-Garching.MPG.DE>
To: krb5-bugs@mit.edu
Subject: No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
From: arnolds@mpa-garching.mpg.de
X-send-pr-version: 3.99
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.4
(mpadmz-3.MPA-Garching.MPG.DE [130.183.82.19]);
Mon, 28 Mar 2011 17:36:33 +0200 (CEST)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBIsWRWlGSWpSXmKPExsXStD1IWJd99QRfg00XxS0aHh5nd2D0aDpz
lDmAMYrLJiU1J7MstUjfLoErY/q6bWwF2wQrTpz4w9LAeIK3i5GTQ0LARGLn2lvsIDajgJHE
7nOvWCHiYhIX7q1n62Lk4hASeMwo0TixiRnC6WWSuHloMyOE08cosWfyfKB2Dg4WAVWJl3dc
QLp5BVwkpt1YCTZVREBU4uXfYywgJcICXhKPHwuBhNkEFCVWPn0PViIE1LnxSDsziM0sIC/x
+90KqCPEJXZsP80OskpCYB6jxL62lWwTGPkXMDKsYpRNya3SzU3MzClOTdYtTk7My0st0jXV
y80s0UtNKd3ECAwaIXYXpR2MPw8qHWIU4GBU4uH9Hd7vK8SaWFZcmXuIUZKDSUmUd8byCb5C
fEn5KZUZicUZ8UWlOanFhxglOJiVRHgPNQLleFMSK6tSi/JhUtIcLErivHMk1X2FBNITS1Kz
U1MLUotgskwc7IcYZTg4lCR481YBdQsWpaanVqRl5pQgq+EEEVwga3iA1uiDFPIWFyTmFmem
QxSdYtTluH7q6V5GIZa8/LxUKXHeApAiAZCijNI8uGGgBFD/////S4yyUsK8jAwMDEI8QNcA
AwEhD0ogrxjFgQEgzBsLMoUnM68EbtMroCOYgI4IVAI7oiQRISXVwNgv6vz8yMkO/q1Xq/iO
LwkNlmnZ/mhDzK/GLuHTJYVepyNOPVyZE3+PczbX2jY3oTfNKhsfL/D+z3yczWSrtktv43GT
lo9/t3Cpyoode9ekr3ulqsz5waMzDxczCV6e3meX1iOoVb/5+o9H718fuc/s9CJOLNgq23Eq
4+TEqiiNuslNcQd4JiuxFGckGmoxFxUnAgD42h+p+wIAAA==
X-Mailman-Approved-At: Mon, 28 Mar 2011 17:31:40 -0400
Cc: arnolds@mpa-garching.mpg.de
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: arnolds@mpa-garching.mpg.de
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu
Show quoted text
>Submitter-Id: net
>Originator: Heinz-Ado Arnolds
>Organization:
>Confidential: no
>Synopsis: No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.9
>Environment:
System: Linux ncd-11 2.6.37.4 #1 SMP PREEMPT Mon Mar 21 17:46:54 CET 2011 x86_64 GNU/Linux>Originator: Heinz-Ado Arnolds
>Organization:
>Confidential: no
>Synopsis: No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.9
>Environment:
Architecture: x86_64
Show quoted text
>Description:
Dear Ladies and Gentlemen,
I have found a problem when a principal is maked with the attribute "REQUIRES_PWCHANGE". If a user tries to change the password with his first login, violations to the password requirements are not reported. That might be very unconvenient for an unexpierenced user. While for example kpasswd comments on a character class failure, the same is handled without any error message by forced password change.
Reason for this behaviour is that krb5_change_password (called by krb5_get_init_creds_password()) gives an KRB5_KPASSWD_HARDERROR if requirements are not met and the password entry loop is left immediately without any message (i.e. Too many authentication failures for ...).
Enclosed you'll find a patch to gic_pwd.d which fixes that situation. I'm sure that you'll know quite more nifty solutions for fixing that.
Thanks a lot for your effort in developing krb5 an kind regard,
Ado
Show quoted text
>How-To-Repeat:
see above
Show quoted text
>Fix:
diff -ur krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c krb5-1.9/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c 2010-12-01 03:16:37.000000000 +0100
+++ krb5-1.9/src/lib/krb5/krb/gic_pwd.c 2011-03-28 17:12:50.000000000 +0200
@@ -401,7 +401,12 @@
ret = KRB5_CHPW_FAIL;
- if (result_code != KRB5_KPASSWD_SOFTERROR) {
+ /* don't finally fail (show error and try again) if character
+ class requirements were not met */
+ if (result_code != KRB5_KPASSWD_SOFTERROR &&
+ !(result_code == KRB5_KPASSWD_HARDERROR &&
+ !strncmp(result_string.data, "New password does not have enough character classes", 51) )
+ ) {
free(result_string.data);
goto cleanup;
}