krb5-kdc: Cannot change passwords if password history is used

Christopher Odenbach odenbach at uni-paderborn.de
Tue Mar 6 07:59:34 EST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

we recently updated our master KDC from Debian Lenny to Debian
Squeeze. This included a kerberos upgrade from 1.6 to 1.8. After the
update several users were not able anymore to change their passwords,
no matter if kpasswd or kadmin.local was used:

change_password: Message size is incompatible with encryption type
while changing password for "tex1 at UNI-PADERBORN.DE".

All our user principals use a policy which sets a password history of
6. The problem disappeared as we set the history to 1, so that no
history was used at all.

Further investigation showed the involved code parts:

#0  krb5_k_decrypt (context=0x6129f0, key=0x636fc0, usage=0, ivec=0x0,
input=0x7fffffffc010, output=0x7fffffffc030)
    at ../../../../src/lib/crypto/krb/decrypt.c:54
#1  0x00007ffff6c31739 in krb5_c_decrypt (context=0x6129f0,
keyblock=0x7fffffffc2f0, usage=0, ivec=0x0, input=0x7fffffffc010,
    output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:100
#2  0x00007ffff77a4171 in krb5_dbekd_def_decrypt_key_data
(context=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0,
dbkey=0x7fffffffc100,
    keysalt=0x0) at ../../../src/lib/kdb/decrypt_key.c:92
#3  0x00007ffff77a3c67 in krb5_dbekd_decrypt_key_data
(kcontext=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0,
dbkey=0x7fffffffc100,
    keysalt=0x0) at ../../../src/lib/kdb/kdb5.c:2481
#4  0x00007ffff79c27be in check_pw_reuse (context=0x6129f0,
mkey=0x6171b0, hist_keyblock=0x7fffffffc2f0, n_new_key_data=8,
new_key_data=0x633d50,
    n_pw_hist_data=5, pw_hist_data=0x633650) at
../../../../src/lib/kadm5/srv/svr_principal.c:988
#5  0x00007ffff79c3441 in kadm5_chpass_principal_3
(server_handle=0x614830, principal=0x6335c0, keepold=0, n_ks_tuple=0,
ks_tuple=0x0,
    password=0x611940 "Blafasel123") at
../../../../src/lib/kadm5/srv/svr_principal.c:1454
#6  0x00007ffff79c2ed1 in kadm5_chpass_principal
(server_handle=0x614830, principal=0x6335c0, password=0x611940
"Blafasel123")
    at ../../../../src/lib/kadm5/srv/svr_principal.c:1334
#7  0x0000000000404849 in kadmin_cpw (argc=1, argv=0x629fc8) at
../../../src/kadmin/cli/kadmin.c:783
#8  0x00007ffff7bdbeda in ?? () from /lib/libss.so.2
#9  0x00007ffff7bdbfc5 in ss_execute_line () from /lib/libss.so.2
#10 0x00007ffff7bdc3ff in ss_listen () from /lib/libss.so.2
#11 0x00000000004077c5 in main (argc=1, argv=0x7fffffffe828) at
../../../src/kadmin/cli/ss_wrapper.c:61

(gdb) p input->ciphertext.length
$1 = 24
(gdb) p header_len
$2 = 8
(gdb) p trailer_len
$3 = 20
(gdb) p input->enctype
$4 = 511
(gdb) p ktp->etype
$5 = 16

So the history key type is Triple-DES. When we setup a new test realm
we found a DES key was used instead, just like the master key.

kadmin.local:  getprinc kadmin/history
Principal: kadmin/history at UNI-PADERBORN.DE
Expiration date: [never]
Last password change: Tue Dec 10 15:51:20 CET 2002
Password expiration date: [none]
Maximum ticket life: 0 days 00:01:04
Maximum renewable life: 0 days 00:00:00
Last modified: Tue Dec 10 15:51:20 CET 2002 (kdb5_util at UNI-PADERBON.DE)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
MKey: vno 1
Attributes:
Policy: [none]

I have no idea why our realm database has these two enctypes for the
kadmin/history principal, but it has. The 1.8 code seems to have a
serious problem with that as it causes KRB5_BAD_MSIZE to be thrown.

How can we deal with this mess? Is it possible to remove the Triple
DES key from the kadmin/history principal? Or should the code be
changed to deal correctly with this issue?

I would like to reenable the password history but that is currently
only possible if every user changes his password (which is a problem
with > 25000 users).

Thanks for help,

Christopher

P.S.: This bug also exists as Debian bug #660869.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPVgo1hxiCJKeLY0IRAgyxAKCtVWGP8tO4+BYvsTfjQ9GDsR8PQACgmbXZ
CLZRsMckWUsAhaZUrrZLIwE=
=ya8E
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list