pkinit and passwords issues

Thu Feb 11 16:28:35 EST 2010

I've noticed that if a princ's password has expired the KDC is sending
back a passwd expired error message even if PKINIT is being attempted
with a valid cert.  This strikes me as buggy.  Why should the KDC check
the validity of a princ's password if the princ is attempting PKINIT
preauth?

I believe the problem lies with this check in validate_as_request():

    /* The client's password must not be expired, unless the server is
       a KRB5_KDC_PWCHANGE_SERVICE. */
    if (client.pw_expiration && client.pw_expiration < kdc_time &&
        !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
        *status = "CLIENT KEY EXPIRED";
        if (vague_errors)
            return(KRB_ERR_GENERIC);
        else
            return(KDC_ERR_KEY_EXP);
    }

Thoughts?

Also, I didn't see any interface that allowed one to restrict the
preauth types a particular princ could use.  Does such an interface
exists and if not, should there be one?  One use case I'm thinking of is
one where user princs are only allowed to do PKINIT preauth.  How does
one go about doing this with the current princ record structure?  From
what I see, a principal can not be created without a password so this
leaves creating a user princ with a random password/key but this isn't
an absolute guarantee that they can't get a TGT using password based
preauth.  Thoughts?

-- 
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA