addprinc -randkey broken in 1.7?

Marcus Watts mdw at umich.edu
Wed Sep 16 17:04:00 EDT 2009


 Russ Allbery <rra at stanford.edu> writes:
> Date:    Wed, 16 Sep 2009 13:13:13 PDT
> To:      "Leonard J. Peirce" <leonard.peirce at gmail.com>
> cc:      kerberos at mit.edu
> From:    Russ Allbery <rra at stanford.edu>
> Subject: Re: addprinc -randkey broken in 1.7?
> 
> "Leonard J. Peirce" <leonard.peirce at gmail.com> writes:
> 
> > When running (in kadmin)
> 
> >   addprinc -randkey host/host.domain
> 
> > I get a complaint about the password not containing enough character
> > classes.  Did I miss something?  Not really a big deal since I can
> > just specify a password.
> 
> > It used to work in 1.6.
> 
> addprinc -randkey hasn't worked for principals that have a password policy
> set for somet time for me.  The way -randkey works under the hood is that
> it adds the principal disabled with a fixed password (which is indeed
> pretty bad except that it's very long), then randomizes the key, and then
> enables the principal.
> 
> This has other strange artifacts (or at least did -- I don't know if
> they've been fixed).  For example, adding a principal with -randkey and
> -disallow_all_tix results in an enabled principal, igoring the
> -disallow_all_tix option.

Ah!  I have a patch for this.  I thought I had submitted this to MIT
long since, but I can't find any record that this happened.

Here's the patch:

/afs/umich.edu/user/m/d/mdw/build/krb5.15x/patches/krb5-1.6.3-ankfix1.patch

This changes the protocol to use a 'null' password to indicate randkey operation.
If a new client talks to an old server, the behavior is to fall back to the old case.
Obviously this was for 1.6.3, but it might apply to 1.7.

					-Marcus Watts



More information about the Kerberos mailing list