krb5-kdc: Cannot change passwords if password history is used
Nico Williams
nico at cryptonector.com
Wed Mar 7 11:43:11 EST 2012
On Wed, Mar 7, 2012 at 10:33 AM, Tom Yu <tlyu at mit.edu> wrote:
> Nico Williams <nico at cryptonector.com> writes:
>
>> But there's no integrity protection for most of the KDB, so there's no
>> way to know if the problem is corruption. That said, I agree with
>> you: removing the required key == removing that part of the password
>> history keyed with that key.
>
> The keys that the KDC uses to encrypt long-term keys (and key
> histories) in the KDB typically provide integrity protection. What
> sort of corruption were you thinking of?
Only things encrypted with the master key and such are integrity
protected. Things like principal names, attributes, kvnos, ... -> not
integrity protected.
Bit rot occurs. I was explaining why a developer might think that in
this case it's better to fail the operation (password change), but in
practice -and if we ignore corruption- users would really prefer to
have the code ignore the affected history entry.
Nico
--
More information about the Kerberos
mailing list