Red Hat Bugzilla – Bug 155265
Kerberos password change fails, but user is told that it succeeded
Last modified: 2007-11-30 17:11:04 EST
I'm runing stock FC3 with pam_krb5-2.1.2-1. My server is an FC2 machine running
I'm seeing password changes via "passwd" appear to succeed with the message:
passwd: all authentication tokens updated successfully.
and the logged entry:
passwd: pam_krb5: password changed for XXXX
but the server logs errors like:
kadmind(Notice): chpw request from XXXX for XXXX: Cannot reuse password
kadmind(Notice): chpw request from XXXX for XXXX: Password is too short
It seems the error is not being propagated back to the user. If I use a
password that doesn't trigger the length or reuse errors, the change succeeds.
I'll attach my /etc/pam.d/system-auth.
Created attachment 113336 [details]
I built and installed pam_krb5-2.1.5-1; the problem is still present.
I read over the pam_krb5 source and it looks like everything is done by calling
krb5_change_password which is part of Kerberos, and the return , so I built and
installd krb5 1.4-3 from Rawhide. The behavior still did not change. However,
I note that using kpasswd works fine and properly reports errors.
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.
I don't believe I can reproduce this with a modern release.