Bug 155265 - Kerberos password change fails, but user is told that it succeeded
Kerberos password change fails, but user is told that it succeeded
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-18 14:14 EDT by Jason Tibbitts
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version: 2.2.11-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-08 11:19:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
/etc/pam.d/system-auth (1.11 KB, text/plain)
2005-04-18 14:14 EDT, Jason Tibbitts
no flags Details

  None (edit)
Description Jason Tibbitts 2005-04-18 14:14:27 EDT
I'm runing stock FC3 with pam_krb5-2.1.2-1.  My server is an FC2 machine running
krb5-server-1.3.6-4.

I'm seeing password changes via "passwd" appear to succeed with the message:

passwd: all authentication tokens updated successfully.

and the logged entry:

passwd[6158]: pam_krb5[6158]: password changed for XXXX

but the server logs errors like:

kadmind[2030](Notice): chpw request from XXXX for XXXX: Cannot reuse password

kadmind[2030](Notice): chpw request from XXXX for XXXX: Password is too short

It seems the error is not being propagated back to the user.  If I use a
password that doesn't trigger the length or reuse errors, the change succeeds.

I'll attach my /etc/pam.d/system-auth.
Comment 1 Jason Tibbitts 2005-04-18 14:14:27 EDT
Created attachment 113336 [details]
/etc/pam.d/system-auth
Comment 2 Jason Tibbitts 2005-04-18 16:07:24 EDT
I built and installed pam_krb5-2.1.5-1; the problem is still present.
Comment 3 Jason Tibbitts 2005-04-19 12:39:39 EDT
I read over the pam_krb5 source and it looks like everything is done by calling
krb5_change_password which is part of Kerberos, and the return , so I built and
installd krb5 1.4-3 from Rawhide.  The behavior still did not change.  However,
I note that using kpasswd works fine and properly reports errors.
Comment 4 Matthew Miller 2006-07-10 16:22:54 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 5 Jason Tibbitts 2007-02-08 11:19:12 EST
I don't believe I can reproduce this with a modern release.

Note You need to log in before you can comment on or make changes to this bug.