Skip Menu |
 

Download (untitled) / with headers
text/plain 5.3KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Mon Mar 28 17:31:41 2011
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id EC97A3E640;
Mon, 28 Mar 2011 17:31:40 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SLVeue025028;
Mon, 28 Mar 2011 17:31:40 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SFahHD025419
for <krb5-bugs-incoming@PCH.mit.edu>; Mon, 28 Mar 2011 11:36:44 -0400
Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU
[18.7.68.34])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id p2SFUqP0007516
for <krb5-bugs@mit.edu>; Mon, 28 Mar 2011 11:36:40 -0400
X-AuditID: 12074422-b7ccdae000003dab-a2-4d90ab062cec
Authentication-Results: symauth.service.identifier
Received: from mpadmz-3.MPA-Garching.MPG.DE (mpadmz-3.MPA-Garching.MPG.DE
[130.183.82.19])
by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP
id 48.CF.15787.60BA09D4; Mon, 28 Mar 2011 11:36:39 -0400 (EDT)
Received: from ncd-11.MPA-Garching.MPG.DE (ncd-11.MPA-Garching.MPG.DE
[130.183.84.20])
by mpadmz-3.MPA-Garching.MPG.DE (8.14.4/8.14.4) with ESMTP id
p2SFaXTL011897
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
Mon, 28 Mar 2011 17:36:33 +0200
Received: (from arnolds@localhost)
by ncd-11.MPA-Garching.MPG.DE (8.14.4/8.14.4/Submit) id p2SFaXeY013650;
Mon, 28 Mar 2011 17:36:33 +0200
Date: Mon, 28 Mar 2011 17:36:33 +0200
Message-Id: <201103281536.p2SFaXeY013650@ncd-11.MPA-Garching.MPG.DE>
To: krb5-bugs@mit.edu
Subject: No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
From: arnolds@mpa-garching.mpg.de
X-send-pr-version: 3.99
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.4
(mpadmz-3.MPA-Garching.MPG.DE [130.183.82.19]);
Mon, 28 Mar 2011 17:36:33 +0200 (CEST)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBIsWRWlGSWpSXmKPExsXStD1IWJd99QRfg00XxS0aHh5nd2D0aDpz
lDmAMYrLJiU1J7MstUjfLoErY/q6bWwF2wQrTpz4w9LAeIK3i5GTQ0LARGLn2lvsIDajgJHE
7nOvWCHiYhIX7q1n62Lk4hASeMwo0TixiRnC6WWSuHloMyOE08cosWfyfKB2Dg4WAVWJl3dc
QLp5BVwkpt1YCTZVREBU4uXfYywgJcICXhKPHwuBhNkEFCVWPn0PViIE1LnxSDsziM0sIC/x
+90KqCPEJXZsP80OskpCYB6jxL62lWwTGPkXMDKsYpRNya3SzU3MzClOTdYtTk7My0st0jXV
y80s0UtNKd3ECAwaIXYXpR2MPw8qHWIU4GBU4uH9Hd7vK8SaWFZcmXuIUZKDSUmUd8byCb5C
fEn5KZUZicUZ8UWlOanFhxglOJiVRHgPNQLleFMSK6tSi/JhUtIcLErivHMk1X2FBNITS1Kz
U1MLUotgskwc7IcYZTg4lCR481YBdQsWpaanVqRl5pQgq+EEEVwga3iA1uiDFPIWFyTmFmem
QxSdYtTluH7q6V5GIZa8/LxUKXHeApAiAZCijNI8uGGgBFD/////S4yyUsK8jAwMDEI8QNcA
AwEhD0ogrxjFgQEgzBsLMoUnM68EbtMroCOYgI4IVAI7oiQRISXVwNgv6vz8yMkO/q1Xq/iO
LwkNlmnZ/mhDzK/GLuHTJYVepyNOPVyZE3+PczbX2jY3oTfNKhsfL/D+z3yczWSrtktv43GT
lo9/t3Cpyoode9ekr3ulqsz5waMzDxczCV6e3meX1iOoVb/5+o9H718fuc/s9CJOLNgq23Eq
4+TEqiiNuslNcQd4JiuxFGckGmoxFxUnAgD42h+p+wIAAA==
X-Mailman-Approved-At: Mon, 28 Mar 2011 17:31:40 -0400
Cc: arnolds@mpa-garching.mpg.de
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: arnolds@mpa-garching.mpg.de
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator: Heinz-Ado Arnolds
>Organization:
>Confidential: no
>Synopsis: No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
>Severity: non-critical
>Priority: medium
>Category: krb5-libs
>Class: sw-bug
>Release: 1.9
>Environment:
System: Linux ncd-11 2.6.37.4 #1 SMP PREEMPT Mon Mar 21 17:46:54 CET 2011 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text
>Description:

Dear Ladies and Gentlemen,

I have found a problem when a principal is maked with the attribute "REQUIRES_PWCHANGE". If a user tries to change the password with his first login, violations to the password requirements are not reported. That might be very unconvenient for an unexpierenced user. While for example kpasswd comments on a character class failure, the same is handled without any error message by forced password change.

Reason for this behaviour is that krb5_change_password (called by krb5_get_init_creds_password()) gives an KRB5_KPASSWD_HARDERROR if requirements are not met and the password entry loop is left immediately without any message (i.e. Too many authentication failures for ...).

Enclosed you'll find a patch to gic_pwd.d which fixes that situation. I'm sure that you'll know quite more nifty solutions for fixing that.

Thanks a lot for your effort in developing krb5 an kind regard,

Ado

Show quoted text
>How-To-Repeat:

see above
Show quoted text
>Fix:

diff -ur krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c krb5-1.9/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c 2010-12-01 03:16:37.000000000 +0100
+++ krb5-1.9/src/lib/krb5/krb/gic_pwd.c 2011-03-28 17:12:50.000000000 +0200
@@ -401,7 +401,12 @@

ret = KRB5_CHPW_FAIL;

- if (result_code != KRB5_KPASSWD_SOFTERROR) {
+ /* don't finally fail (show error and try again) if character
+ class requirements were not met */
+ if (result_code != KRB5_KPASSWD_SOFTERROR &&
+ !(result_code == KRB5_KPASSWD_HARDERROR &&
+ !strncmp(result_string.data, "New password does not have enough character classes", 51) )
+ ) {
free(result_string.data);
goto cleanup;
}
I think this is actually a server bug. The kpasswd server should be
returning a soft error on a password quality failure and a hard error
otherwise. It was doing the right thing up until 1.7 when RFC 3244 was
implemented, at which point the result codes were accidentally switched.
From: ghudson@mit.edu
Subject: SVN Commit

In r21175 (on the mskrb branch, merged in r21690) the result codes for
password quality and other errors were accidentally reversed. Fix
them so that password quality errors generate a "soft" failure and
other errors generate a "hard" failure, as Heimdal and Microsoft do.
Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password
quality error.


https://github.com/krb5/krb5/commit/6f94401ee3b0bfb1d7262fccbd794108fac3aa92
Commit By: ghudson
Revision: 24755
Changed Files:
U trunk/src/kadmin/server/schpw.c
From: tlyu@mit.edu
Subject: SVN Commit

pull up r24755 from trunk

------------------------------------------------------------------------
r24755 | ghudson | 2011-03-29 18:44:30 -0400 (Tue, 29 Mar 2011) | 11 lines

ticket: 6888
target_version: 1.9.1
tags: pullup

In r21175 (on the mskrb branch, merged in r21690) the result codes for
password quality and other errors were accidentally reversed. Fix
them so that password quality errors generate a "soft" failure and
other errors generate a "hard" failure, as Heimdal and Microsoft do.
Also recognize KADM5_PASS_Q_GENERIC (added in 1.9) as a password
quality error.

https://github.com/krb5/krb5/commit/a1d3e7b934225c69d8c1817084c477564df675ec
Commit By: tlyu
Revision: 24952
Changed Files:
U branches/krb5-1-9/src/kadmin/server/schpw.c