Ticket History #7868: krb5_get_init_creds_password ignores preauth options when changing password

# Fri Feb 21 16:34:37 2014 Nathaniel McCallum <npmccallum@redhat.com> - Ticket created

Subject:	FAST not used for password change request
From:	Nathaniel McCallum <npmccallum@redhat.com>
To:	krb5-bugs@mit.edu
Date:	Fri, 21 Feb 2014 16:33:43 -0500

Download (untitled) / with headers
text/plain 260B

When attempting to use perform authentication using FAST, if the
principal's keys are expired, the password change request happens
outside of FAST. This means that preauth methods which require FAST
can't be used for user authentication when the keys expire.

# Fri Feb 21 17:15:50 2014 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 399B

gic_pwd.c line 358 acquires the kadmin/changepw credential, using a
separate gic_options structure from the caller-specified options.

I'm not sure yet what the right solution is. It might be as simple as
using the caller-specified options (on the theory that getting a ticket
with a longer lifetime than we need or flags we don't need isn't really a
big deal), or it might be more complicated.

# Fri Feb 28 10:57:57 2014 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 1KiB

I took a closer look at the gic_opt fields. The following fields affect
preauth and must be carried over:

* Preauth list
* Salt
* Preauth options
* FAST ccache
* Input ccache
* FAST flags
* Responder: affects preauth, must be carried over.

The canonicalize flag should also be carried over, making eight fields
we must carry over.

The following fields could be harmful if carried over:

* Forwardable: could cause failure due to #7871
* Proxiable: same
* Output ccache: we do not want to store the kadmin/changepw ticket
* Anonymous: we can't change a password with an anonymous ticket
* Etype list: could cause failure if kadmin/changepw has only one key.

It's probably also best not to carry over the address list, making six
fields we would not want to carry over. As long as we have to make
changes, the ticket lifetime and renewable lifetime fields should also
be set (to 300 and 0 as they are onw).

The remaining two fields (change password prompt flag and expiration
callback) are irrelevant as they are interpreted by gic_pwd.c.

# Fri Feb 28 12:38:43 2014 ghudson@mit.edu (Greg Hudson) - Ticket 7868 RefersTo ticket 7871.

# Fri Feb 28 18:29:29 2014 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'open'

# Fri Feb 28 18:29:29 2014 ghudson@mit.edu (Greg Hudson) - Comments added

Subject:

krb5_get_init_creds_password ignores preauth options when changing password

Download (untitled) / with headers
text/plain 128B

Correction: the etype list is used for optimistic preauth, and should
therefore be in the list of things we want to carry over.

# Fri Feb 28 18:29:57 2014 ghudson@mit.edu (Greg Hudson) - Subject changed from 'FAST not used for password change request' to 'krb5_get_init_creds_password ignores preauth options when changing password'

# Mon Mar 03 12:04:59 2014 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Mon Mar 03 12:04:59 2014 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'

# Mon Mar 03 12:04:59 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 714B

Use preauth options when changing password

If we try to change the password in rb5_get_init_creds_password, we
must use all application-specified gic options which affect
preauthentication when getting the kadmin/changepw ticket. Create a
helper function make_chpw_options which copies the application's
options, unsets the options we don't want, and sets options
appropriate for a temporary ticket.

https://github.com/krb5/krb5/commit/9f9c4acd9629913d2ff197e0f4994d091f2073d5
Author: Greg Hudson <ghudson@mit.edu>
Commit: 9f9c4acd9629913d2ff197e0f4994d091f2073d5
Branch: master
src/lib/krb5/krb/gic_pwd.c | 63 +++++++++++++++++++++++++++++++++++--------
1 files changed, 51 insertions(+), 12 deletions(-)

# Mon Mar 03 12:05:00 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 374B

Add tests for gic_pwd password change

https://github.com/krb5/krb5/commit/06817686bfdef99523f300464bcbb0c8b037a27d
Author: Greg Hudson <ghudson@mit.edu>
Commit: 06817686bfdef99523f300464bcbb0c8b037a27d
Branch: master
src/tests/Makefile.in | 1 +
src/tests/t_changepw.py | 37 +++++++++++++++++++++++++++++++++++++
2 files changed, 38 insertions(+), 0 deletions(-)

# Tue Aug 12 18:27:38 2014 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Tue Aug 12 18:27:38 2014 tlyu (Taylor Yu) - Version_Fixed 1.13 added