[krbdev.mit.edu #8949] Provide Means to Prevent a User Changing its Password
Greg Hudson via RT
rt at krbdev.mit.edu
Wed Sep 16 18:37:18 EDT 2020
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8949 >
Note that every user of the demo account will be able to decrypt every other
users' communications, unless SPAKE preauth is used (and even then an MITM
attack is likely possible).
I believe this use case is currently possible in three suboptimal ways, the
first of which is probably easiest:
1. Set a long min_life on the principal.
2. Provide a password quality plugin module which always fails the quality
check for this principal.
3. Disable the "self" kadm5_auth module, and instead provide a new module which
enables self-service for every principal but this one.
More information about the krb5-bugs
mailing list