Bug 155265

Summary: Kerberos password change fails, but user is told that it succeeded
Product: [Fedora] Fedora Reporter: Jason Tibbitts <tibbs>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: mattdm
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.2.11-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-02-08 11:19:12 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
/etc/pam.d/system-auth none

Description Jason Tibbitts 2005-04-18 14:14:27 EDT
I'm runing stock FC3 with pam_krb5-2.1.2-1.  My server is an FC2 machine running
krb5-server-1.3.6-4.

I'm seeing password changes via "passwd" appear to succeed with the message:

passwd: all authentication tokens updated successfully.

and the logged entry:

passwd[6158]: pam_krb5[6158]: password changed for XXXX

but the server logs errors like:

kadmind[2030](Notice): chpw request from XXXX for XXXX: Cannot reuse password

kadmind[2030](Notice): chpw request from XXXX for XXXX: Password is too short

It seems the error is not being propagated back to the user.  If I use a
password that doesn't trigger the length or reuse errors, the change succeeds.

I'll attach my /etc/pam.d/system-auth.
Comment 1 Jason Tibbitts 2005-04-18 14:14:27 EDT
Created attachment 113336 [details]
/etc/pam.d/system-auth
Comment 2 Jason Tibbitts 2005-04-18 16:07:24 EDT
I built and installed pam_krb5-2.1.5-1; the problem is still present.
Comment 3 Jason Tibbitts 2005-04-19 12:39:39 EDT
I read over the pam_krb5 source and it looks like everything is done by calling
krb5_change_password which is part of Kerberos, and the return , so I built and
installd krb5 1.4-3 from Rawhide.  The behavior still did not change.  However,
I note that using kpasswd works fine and properly reports errors.
Comment 4 Matthew Miller 2006-07-10 16:22:54 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 5 Jason Tibbitts 2007-02-08 11:19:12 EST
I don't believe I can reproduce this with a modern release.