Bug 191231 - pam_krb5 does not report KDC password rejection
pam_krb5 does not report KDC password rejection
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-05-09 17:46 EDT by Chris Hollowell
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2007-0434
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-06-11 14:38:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch which addresses this issue (1.56 KB, text/plain)
2006-05-09 17:46 EDT, Chris Hollowell
no flags Details
proposed update source package (162.22 KB, application/octet-stream)
2006-09-27 13:36 EDT, Nalin Dahyabhai
no flags Details

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0434 normal SHIPPED_LIVE pam_krb5 bug fix update 2007-06-07 16:32:34 EDT

  None (edit)
Description Chris Hollowell 2006-05-09 17:46:43 EDT
Description of problem:
If a user attempts to change their K5 password via pam_krb5,
and the KDC rejects their newly selected password because it 
is weak (too few characters, based on a dictionary word), the 
user will not be notified that the operation failed.

The attached patch appears to correct this issue.

Version-Release number of selected component (if applicable):
pam_krb5-1.77-1, older releases as well.

How reproducible:

Steps to Reproduce:
1.  Configure PAM to call pam_krb5.so in the password module stack.
2.  Using /usr/bin/passwd, attempt to change a user's K5 password 
    to a weak string the KDC will reject.
Actual results:
"passwd: all authentication tokens updated successfully." is reported,
but the user's K5 password has not been changed.  An informational
message describing the error is sent to syslog.

Expected results:
pam_krb5 should report an error to the calling application. 

Additional info:
Appears to affect RHEL4 as well.
Comment 1 Chris Hollowell 2006-05-09 17:46:43 EDT
Created attachment 128820 [details]
Patch which addresses this issue
Comment 2 Jeff Layton 2006-09-27 06:40:39 EDT
Attaching this IT to this case and placing this on U9 proposed. The description
reported by the customer is similar to the one above and I think it's the same. 

Here it is in case you want to double check:

The pam_krb5 on AS 3 (version 1.77-1) doesn't return password changing result code.

Here is the debug msgs when option "debug" is used:

Sep 25 11:32:00 rhclnt1 sshd[10048]: pam_krb5: changing ts12345's Kerberos 5
password failed: New password was used previously. Please choose a different
password. (4: Password change rejectedh<9d>^K^H^Y)
Sep 25 11:32:00 rhclnt1 sshd[10048]: pam_krb5: pam_sm_chauthtok() returning 0


I had the customer test the 1.78-1 package and the fixes already in that package
seem to have corrected the problem.
Comment 5 Nalin Dahyabhai 2006-09-27 13:36:14 EDT
Created attachment 137230 [details]
proposed update source package

Chris, can you rebuild the attached source package and see if it fixes the
problem for you?
Comment 12 Red Hat Bugzilla 2007-06-11 14:38:52 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

Comment 13 Issue Tracker 2007-06-11 15:01:07 EDT

New pam_krb5 package has been released that fixes this issue. Please see
the errata announcement:


This package is now official :)


Internal Status set to 'Resolved'
Status set to: Closed by Tech
Resolution set to: 'RHEL 3.9'

This event sent from IssueTracker by pbatkowski 
 issue 102763

Note You need to log in before you can comment on or make changes to this bug.