[krbdev.mit.edu #6888] No explanation of failed passwd entry if REQUIRES_PWCHANGE is set

The RT System itself via RT rt-comment at krbdev.mit.edu
Mon Mar 28 17:31:41 EDT 2011 

>From krb5-bugs-incoming-bounces at PCH.mit.edu  Mon Mar 28 17:31:41 2011
Return-Path: <krb5-bugs-incoming-bounces at PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
	by krbdev.mit.edu (Postfix) with ESMTP id EC97A3E640;
	Mon, 28 Mar 2011 17:31:40 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SLVeue025028;
	Mon, 28 Mar 2011 17:31:40 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
	by pch.mit.edu (8.13.6/8.12.8) with ESMTP id p2SFahHD025419
	for <krb5-bugs-incoming at PCH.mit.edu>; Mon, 28 Mar 2011 11:36:44 -0400
Received: from dmz-mailsec-scanner-5.mit.edu (DMZ-MAILSEC-SCANNER-5.MIT.EDU
	[18.7.68.34])
	by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id p2SFUqP0007516
	for <krb5-bugs at mit.edu>; Mon, 28 Mar 2011 11:36:40 -0400
X-AuditID: 12074422-b7ccdae000003dab-a2-4d90ab062cec
Authentication-Results: symauth.service.identifier
Received: from mpadmz-3.MPA-Garching.MPG.DE (mpadmz-3.MPA-Garching.MPG.DE
	[130.183.82.19])
	by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP
	id 48.CF.15787.60BA09D4; Mon, 28 Mar 2011 11:36:39 -0400 (EDT)
Received: from ncd-11.MPA-Garching.MPG.DE (ncd-11.MPA-Garching.MPG.DE
	[130.183.84.20])
	by mpadmz-3.MPA-Garching.MPG.DE (8.14.4/8.14.4) with ESMTP id
	p2SFaXTL011897
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Mon, 28 Mar 2011 17:36:33 +0200
Received: (from arnolds at localhost)
	by ncd-11.MPA-Garching.MPG.DE (8.14.4/8.14.4/Submit) id p2SFaXeY013650; 
	Mon, 28 Mar 2011 17:36:33 +0200
Date: Mon, 28 Mar 2011 17:36:33 +0200
Message-Id: <201103281536.p2SFaXeY013650 at ncd-11.MPA-Garching.MPG.DE>
To: krb5-bugs at mit.edu
Subject: No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
From: arnolds at mpa-garching.mpg.de
X-send-pr-version: 3.99
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.3.4
	(mpadmz-3.MPA-Garching.MPG.DE [130.183.82.19]);
	Mon, 28 Mar 2011 17:36:33 +0200 (CEST)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrBIsWRWlGSWpSXmKPExsXStD1IWJd99QRfg00XxS0aHh5nd2D0aDpz
	lDmAMYrLJiU1J7MstUjfLoErY/q6bWwF2wQrTpz4w9LAeIK3i5GTQ0LARGLn2lvsIDajgJHE
	7nOvWCHiYhIX7q1n62Lk4hASeMwo0TixiRnC6WWSuHloMyOE08cosWfyfKB2Dg4WAVWJl3dc
	QLp5BVwkpt1YCTZVREBU4uXfYywgJcICXhKPHwuBhNkEFCVWPn0PViIE1LnxSDsziM0sIC/x
	+90KqCPEJXZsP80OskpCYB6jxL62lWwTGPkXMDKsYpRNya3SzU3MzClOTdYtTk7My0st0jXV
	y80s0UtNKd3ECAwaIXYXpR2MPw8qHWIU4GBU4uH9Hd7vK8SaWFZcmXuIUZKDSUmUd8byCb5C
	fEn5KZUZicUZ8UWlOanFhxglOJiVRHgPNQLleFMSK6tSi/JhUtIcLErivHMk1X2FBNITS1Kz
	U1MLUotgskwc7IcYZTg4lCR481YBdQsWpaanVqRl5pQgq+EEEVwga3iA1uiDFPIWFyTmFmem
	QxSdYtTluH7q6V5GIZa8/LxUKXHeApAiAZCijNI8uGGgBFD/////S4yyUsK8jAwMDEI8QNcA
	AwEhD0ogrxjFgQEgzBsLMoUnM68EbtMroCOYgI4IVAI7oiQRISXVwNgv6vz8yMkO/q1Xq/iO
	LwkNlmnZ/mhDzK/GLuHTJYVepyNOPVyZE3+PczbX2jY3oTfNKhsfL/D+z3yczWSrtktv43GT
	lo9/t3Cpyoode9ekr3ulqsz5waMzDxczCV6e3meX1iOoVb/5+o9H718fuc/s9CJOLNgq23Eq
	4+TEqiiNuslNcQd4JiuxFGckGmoxFxUnAgD42h+p+wIAAA==
X-Mailman-Approved-At: Mon, 28 Mar 2011 17:31:40 -0400
Cc: arnolds at mpa-garching.mpg.de
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: arnolds at mpa-garching.mpg.de
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu


>Submitter-Id:	net
>Originator:	Heinz-Ado Arnolds
>Organization:
>Confidential:	no
>Synopsis:	No explanation of failed passwd entry if REQUIRES_PWCHANGE is set
>Severity:	non-critical
>Priority:	medium
>Category:	krb5-libs
>Class:		sw-bug
>Release:	1.9
>Environment:
System: Linux ncd-11 2.6.37.4 #1 SMP PREEMPT Mon Mar 21 17:46:54 CET 2011 x86_64 GNU/Linux
Architecture: x86_64

>Description:
	
Dear Ladies and Gentlemen,

I have found a problem when a principal is maked with the attribute "REQUIRES_PWCHANGE". If a user tries to change the password with his first login, violations to the password requirements are not reported. That might be very unconvenient for an unexpierenced user. While for example kpasswd comments on a character class failure, the same is handled without any error message by forced password change.

Reason for this behaviour is that krb5_change_password (called by krb5_get_init_creds_password()) gives an KRB5_KPASSWD_HARDERROR if requirements are not met and the password entry loop is left immediately without any message (i.e. Too many authentication failures for ...).

Enclosed you'll find a patch to gic_pwd.d which fixes that situation. I'm sure that you'll know quite more nifty solutions for fixing that.

Thanks a lot for your effort in developing krb5 an kind regard,

Ado

>How-To-Repeat:
	
see above
>Fix:
	
diff -ur krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c krb5-1.9/src/lib/krb5/krb/gic_pwd.c
--- krb5-1.9.orig/src/lib/krb5/krb/gic_pwd.c    2010-12-01 03:16:37.000000000 +0100
+++ krb5-1.9/src/lib/krb5/krb/gic_pwd.c 2011-03-28 17:12:50.000000000 +0200
@@ -401,7 +401,12 @@
 
             ret = KRB5_CHPW_FAIL;
 
-            if (result_code != KRB5_KPASSWD_SOFTERROR) {
+            /* don't finally fail (show error and try again) if character
+               class requirements were not met */
+            if (result_code != KRB5_KPASSWD_SOFTERROR &&
+                !(result_code == KRB5_KPASSWD_HARDERROR &&
+                  !strncmp(result_string.data, "New password does not have enough character classes", 51) )
+                ) {
                 free(result_string.data);
                 goto cleanup;
             }

More information about the krb5-bugs mailing list