Description of problem: If a user attempts to change their K5 password via pam_krb5, and the KDC rejects their newly selected password because it is weak (too few characters, based on a dictionary word), the user will not be notified that the operation failed. The attached patch appears to correct this issue. Version-Release number of selected component (if applicable): pam_krb5-1.77-1, older releases as well. How reproducible: Always Steps to Reproduce: 1. Configure PAM to call pam_krb5.so in the password module stack. 2. Using /usr/bin/passwd, attempt to change a user's K5 password to a weak string the KDC will reject. Actual results: "passwd: all authentication tokens updated successfully." is reported, but the user's K5 password has not been changed. An informational message describing the error is sent to syslog. Expected results: pam_krb5 should report an error to the calling application. Additional info: Appears to affect RHEL4 as well.
Created attachment 128820 [details] Patch which addresses this issue
Attaching this IT to this case and placing this on U9 proposed. The description reported by the customer is similar to the one above and I think it's the same. Here it is in case you want to double check: ----------[snip]----------- The pam_krb5 on AS 3 (version 1.77-1) doesn't return password changing result code. Here is the debug msgs when option "debug" is used: Sep 25 11:32:00 rhclnt1 sshd[10048]: pam_krb5: changing ts12345's Kerberos 5 password failed: New password was used previously. Please choose a different password. (4: Password change rejectedh<9d>^K^H^Y) Sep 25 11:32:00 rhclnt1 sshd[10048]: pam_krb5: pam_sm_chauthtok() returning 0 (Success) -----------[snip]-------------- I had the customer test the 1.78-1 package and the fixes already in that package seem to have corrected the problem.
Created attachment 137230 [details] proposed update source package Chris, can you rebuild the attached source package and see if it fixes the problem for you?
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0434.html
Gene, New pam_krb5 package has been released that fixes this issue. Please see the errata announcement: http://rhn.redhat.com/errata/RHBA-2007-0434.html This package is now official :) Paul Internal Status set to 'Resolved' Status set to: Closed by Tech Resolution set to: 'RHEL 3.9' This event sent from IssueTracker by pbatkowski issue 102763