[krbdev.mit.edu #7868] FAST not used for password change request
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Fri Feb 28 10:57:57 EST 2014
I took a closer look at the gic_opt fields. The following fields affect
preauth and must be carried over:
* Preauth list
* Salt
* Preauth options
* FAST ccache
* Input ccache
* FAST flags
* Responder: affects preauth, must be carried over.
The canonicalize flag should also be carried over, making eight fields
we must carry over.
The following fields could be harmful if carried over:
* Forwardable: could cause failure due to #7871
* Proxiable: same
* Output ccache: we do not want to store the kadmin/changepw ticket
* Anonymous: we can't change a password with an anonymous ticket
* Etype list: could cause failure if kadmin/changepw has only one key.
It's probably also best not to carry over the address list, making six
fields we would not want to carry over. As long as we have to make
changes, the ticket lifetime and renewable lifetime fields should also
be set (to 300 and 0 as they are onw).
The remaining two fields (change password prompt flag and expiration
callback) are irrelevant as they are interpreted by gic_pwd.c.
More information about the krb5-bugs
mailing list