Skip Menu |

Subject: FAST not used for password change request
From: Nathaniel McCallum <>
Date: Fri, 21 Feb 2014 16:33:43 -0500
When attempting to use perform authentication using FAST, if the
principal's keys are expired, the password change request happens
outside of FAST. This means that preauth methods which require FAST
can't be used for user authentication when the keys expire.
gic_pwd.c line 358 acquires the kadmin/changepw credential, using a
separate gic_options structure from the caller-specified options.

I'm not sure yet what the right solution is. It might be as simple as
using the caller-specified options (on the theory that getting a ticket
with a longer lifetime than we need or flags we don't need isn't really a
big deal), or it might be more complicated.
I took a closer look at the gic_opt fields. The following fields affect
preauth and must be carried over:

* Preauth list
* Salt
* Preauth options
* FAST ccache
* Input ccache
* FAST flags
* Responder: affects preauth, must be carried over.

The canonicalize flag should also be carried over, making eight fields
we must carry over.

The following fields could be harmful if carried over:

* Forwardable: could cause failure due to #7871
* Proxiable: same
* Output ccache: we do not want to store the kadmin/changepw ticket
* Anonymous: we can't change a password with an anonymous ticket
* Etype list: could cause failure if kadmin/changepw has only one key.

It's probably also best not to carry over the address list, making six
fields we would not want to carry over. As long as we have to make
changes, the ticket lifetime and renewable lifetime fields should also
be set (to 300 and 0 as they are onw).

The remaining two fields (change password prompt flag and expiration
callback) are irrelevant as they are interpreted by gic_pwd.c.
Subject: krb5_get_init_creds_password ignores preauth options when changing password
Correction: the etype list is used for optimistic preauth, and should
therefore be in the list of things we want to carry over.
Subject: git commit

Use preauth options when changing password

If we try to change the password in rb5_get_init_creds_password, we
must use all application-specified gic options which affect
preauthentication when getting the kadmin/changepw ticket. Create a
helper function make_chpw_options which copies the application's
options, unsets the options we don't want, and sets options
appropriate for a temporary ticket.
Author: Greg Hudson <>
Commit: 9f9c4acd9629913d2ff197e0f4994d091f2073d5
Branch: master
src/lib/krb5/krb/gic_pwd.c | 63 +++++++++++++++++++++++++++++++++++--------
1 files changed, 51 insertions(+), 12 deletions(-)
Subject: git commit

Add tests for gic_pwd password change
Author: Greg Hudson <>
Commit: 06817686bfdef99523f300464bcbb0c8b037a27d
Branch: master
src/tests/ | 1 +
src/tests/ | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+), 0 deletions(-)