Bug 155265 - Kerberos password change fails, but user is told that it succeeded
Summary: Kerberos password change fails, but user is told that it succeeded
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5
Version: 3
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-18 18:14 UTC by Jason Tibbitts
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 2.2.11-1
Clone Of:
Environment:
Last Closed: 2007-02-08 16:19:12 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
/etc/pam.d/system-auth (1.11 KB, text/plain)
2005-04-18 18:14 UTC, Jason Tibbitts
no flags Details

Description Jason Tibbitts 2005-04-18 18:14:27 UTC
I'm runing stock FC3 with pam_krb5-2.1.2-1.  My server is an FC2 machine running
krb5-server-1.3.6-4.

I'm seeing password changes via "passwd" appear to succeed with the message:

passwd: all authentication tokens updated successfully.

and the logged entry:

passwd[6158]: pam_krb5[6158]: password changed for XXXX

but the server logs errors like:

kadmind[2030](Notice): chpw request from XXXX for XXXX: Cannot reuse password

kadmind[2030](Notice): chpw request from XXXX for XXXX: Password is too short

It seems the error is not being propagated back to the user.  If I use a
password that doesn't trigger the length or reuse errors, the change succeeds.

I'll attach my /etc/pam.d/system-auth.

Comment 1 Jason Tibbitts 2005-04-18 18:14:27 UTC
Created attachment 113336 [details]
/etc/pam.d/system-auth

Comment 2 Jason Tibbitts 2005-04-18 20:07:24 UTC
I built and installed pam_krb5-2.1.5-1; the problem is still present.

Comment 3 Jason Tibbitts 2005-04-19 16:39:39 UTC
I read over the pam_krb5 source and it looks like everything is done by calling
krb5_change_password which is part of Kerberos, and the return , so I built and
installd krb5 1.4-3 from Rawhide.  The behavior still did not change.  However,
I note that using kpasswd works fine and properly reports errors.

Comment 4 Matthew Miller 2006-07-10 20:22:54 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!


Comment 5 Jason Tibbitts 2007-02-08 16:19:12 UTC
I don't believe I can reproduce this with a modern release.


Note You need to log in before you can comment on or make changes to this bug.