Red Hat Bugzilla – Bug 155265
Kerberos password change fails, but user is told that it succeeded
Last modified: 2007-11-30 17:11:04 EST
I'm runing stock FC3 with pam_krb5-2.1.2-1. My server is an FC2 machine running krb5-server-1.3.6-4. I'm seeing password changes via "passwd" appear to succeed with the message: passwd: all authentication tokens updated successfully. and the logged entry: passwd[6158]: pam_krb5[6158]: password changed for XXXX but the server logs errors like: kadmind[2030](Notice): chpw request from XXXX for XXXX: Cannot reuse password kadmind[2030](Notice): chpw request from XXXX for XXXX: Password is too short It seems the error is not being propagated back to the user. If I use a password that doesn't trigger the length or reuse errors, the change succeeds. I'll attach my /etc/pam.d/system-auth.
Created attachment 113336 [details] /etc/pam.d/system-auth
I built and installed pam_krb5-2.1.5-1; the problem is still present.
I read over the pam_krb5 source and it looks like everything is done by calling krb5_change_password which is part of Kerberos, and the return , so I built and installd krb5 1.4-3 from Rawhide. The behavior still did not change. However, I note that using kpasswd works fine and properly reports errors.
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you!
I don't believe I can reproduce this with a modern release.