krb5-kdc: Cannot change passwords if password history is used

Christopher Odenbach odenbach at uni-paderborn.de
Wed Mar 7 03:24:48 EST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

> I believe we've figured out what led to this situation.
> 
> * In 1.2 and prior, kadmin/history was created with all of the 
> supported key:salt types.

That's it. Our realm dates back to 2002, so that was before the
release of 1.2.

> In 1.3 and later, kadmin/history is created with only the master
> key enctype.
> 
> * In 1.7 and prior, the kadmin/history key is selected by looking
> for a key entry of the master key enctype (which was problematic if
> the master key enctype changed).  In 1.8 and later, the first key
> entry is selected.
> 
> So, a KDB created with 1.2 or earlier, and with password history 
> entries from 1.7 or earlier, will run into this problem when used
> with 1.8 or later.

OK, so there could be quite a number of realms affected by the bug,
especially the old ones.

> Our likely fix will be to try all kadmin/history keys when
> decrypting password history entries.  This should be cheap in most
> cases because most KDBs have only one kadmin/history key.

Correct.

> We're also reconsidering whether failure to decrypt a history
> entry should continue to be fatal to the password change operation,
> or if the history entry should just be ignored (which could wrongly
> permit the use of historical passwords).

Well, if a password cannot be decrypted because the needed key is not
there anymore there is no point in letting the password change fail.
Provided of course that every history key is tried.

> I can see two workarounds (short of disabling password history 
> altogether):
> 
> 1. Roll the history key with "cpw -randkey kadmin/history".  This
> will cause all of your users' existing password history entries to
> be ignored, so don't do so lightly.

I missed -randkey. I had tried it without but just got the message

change_password: Cannot change protected principal while changing
password for "kadmin/history at UNI-PADERBORN.DE".

So I did not try -randkey because the error message seemed clear. It
was not.

> 2. When we have a fix prepared, apply it to your KDC source code
> and rebuild.

Thanks. I shall just wait a while.

Are there any plans to make the master key and the history key
changeable without losing historic data?

Many regards,

Christopher

- -- 
======================================================
    Dipl.-Ing. Christopher Odenbach
    Zentrum fuer Informations- und Medientechnologien
    Universitaet Paderborn
    Raum N5.122
    odenbach at uni-paderborn.de
    Tel.: +49 5251 60 5315
======================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iD8DBQFPVxtQhxiCJKeLY0IRAu5iAKCV8Yg2e4OzJyEZx/iVRkRMfRdE6wCgrYnP
z2k2G07SKiRh5lK4bkOoLKc=
=YVw2
-----END PGP SIGNATURE-----

More information about the Kerberos mailing list