Password change protocol implementation, round 3
kenh at cmf.nrl.navy.mil
Fri Mar 12 17:36:38 EST 2004
So, like we talked about here previously, I've been working on the password
change protocol implemention. Here's what I've got so far:
- The guts of lib/krb5/os/changepw.c have been rewritten to use
- First off, it will try the request with a directional address. If
the server returns a KRB5_PASSWD_HARDERROR, it will retry the request
with a "normal" IP address in the KRB_PRIV. This works fine with
a 1.2-ish kadmind; I don't expect any problems with 1.3.x (but I'll
try that next week; it's on my list to upgrade my master KDC then
for IPv6 support). I only check for HARDERROR; I don't compare the
result string returned from the kadmin server. While a number of things
can cause HARDERROR to be returned, "Incorrect net address" is the only
one I've run into in practice. This means that in the default case,
you get two chpw requests in the logs, but I don't think that's a big
(Side note: is there a reason the chpw server doesn't return the actual
error string from com_err back to the user? Sure, it logs it, but it
would save me time from having to go to the KDC to check the logs).
- The directional address support that we talked about (flag in the
auth context, checking the directional address during KRB-PRIV
processing, support in krb5_auth_con_genaddrs()) has been implemented.
I haven't done any of the server work (changing the server to use the new
network library raeburn split off, reply cache) yet; that's next week.
I'm just sending this note as a sanity check ... this is what everyone
here who participated in this discussion agreed upon, right? If so,
can I commit this code? (Since this piece is independent of the the
server side and interoperates with the older server, what's in CVS will
at least interoperate with itself). If someone wants to review this
first, let me know.
More information about the krbdev