Red Hat Bugzilla – Bug 191231
pam_krb5 does not report KDC password rejection
Last modified: 2007-11-30 17:07:10 EST
Description of problem:
If a user attempts to change their K5 password via pam_krb5,
and the KDC rejects their newly selected password because it
is weak (too few characters, based on a dictionary word), the
user will not be notified that the operation failed.
The attached patch appears to correct this issue.
Version-Release number of selected component (if applicable):
pam_krb5-1.77-1, older releases as well.
Steps to Reproduce:
1. Configure PAM to call pam_krb5.so in the password module stack.
2. Using /usr/bin/passwd, attempt to change a user's K5 password
to a weak string the KDC will reject.
"passwd: all authentication tokens updated successfully." is reported,
but the user's K5 password has not been changed. An informational
message describing the error is sent to syslog.
pam_krb5 should report an error to the calling application.
Appears to affect RHEL4 as well.
Created attachment 128820 [details]
Patch which addresses this issue
Attaching this IT to this case and placing this on U9 proposed. The description
reported by the customer is similar to the one above and I think it's the same.
Here it is in case you want to double check:
The pam_krb5 on AS 3 (version 1.77-1) doesn't return password changing result code.
Here is the debug msgs when option "debug" is used:
Sep 25 11:32:00 rhclnt1 sshd: pam_krb5: changing ts12345's Kerberos 5
password failed: New password was used previously. Please choose a different
password. (4: Password change rejectedh<9d>^K^H^Y)
Sep 25 11:32:00 rhclnt1 sshd: pam_krb5: pam_sm_chauthtok() returning 0
I had the customer test the 1.78-1 package and the fixes already in that package
seem to have corrected the problem.
Created attachment 137230 [details]
proposed update source package
Chris, can you rebuild the attached source package and see if it fixes the
problem for you?
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.
New pam_krb5 package has been released that fixes this issue. Please see
the errata announcement:
This package is now official :)
Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'
This event sent from IssueTracker by pbatkowski