addprinc -randkey broken in 1.7?
|
View:
New views
9 Messages
—
Rating Filter:
Alert me
|
 |
addprinc -randkey broken in 1.7?
by Leonard J. Peirce
::
Rate this Message:
When running (in kadmin)
addprinc -randkey host/host.domain I get a complaint about the password not containing enough character classes. Did I miss something? Not really a big deal since I can just specify a password. It used to work in 1.6. - Leonard ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: addprinc -randkey broken in 1.7?
by Russ Allbery
::
Rate this Message:
"Leonard J. Peirce" <leonard.peirce@...> writes:
> When running (in kadmin) > addprinc -randkey host/host.domain > I get a complaint about the password not containing enough character > classes. Did I miss something? Not really a big deal since I can > just specify a password. > It used to work in 1.6. addprinc -randkey hasn't worked for principals that have a password policy set for somet time for me. The way -randkey works under the hood is that it adds the principal disabled with a fixed password (which is indeed pretty bad except that it's very long), then randomizes the key, and then enables the principal. This has other strange artifacts (or at least did -- I don't know if they've been fixed). For example, adding a principal with -randkey and -disallow_all_tix results in an enabled principal, igoring the -disallow_all_tix option. -- Russ Allbery (rra@...) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: addprinc -randkey broken in 1.7?
by Marcus Watts
::
Rate this Message:
Russ Allbery <rra@...> writes:
> Date: Wed, 16 Sep 2009 13:13:13 PDT > To: "Leonard J. Peirce" <leonard.peirce@...> > cc: kerberos@... > From: Russ Allbery <rra@...> > Subject: Re: addprinc -randkey broken in 1.7? > > "Leonard J. Peirce" <leonard.peirce@...> writes: > > > When running (in kadmin) > > > addprinc -randkey host/host.domain > > > I get a complaint about the password not containing enough character > > classes. Did I miss something? Not really a big deal since I can > > just specify a password. > > > It used to work in 1.6. > > addprinc -randkey hasn't worked for principals that have a password policy > set for somet time for me. The way -randkey works under the hood is that > it adds the principal disabled with a fixed password (which is indeed > pretty bad except that it's very long), then randomizes the key, and then > enables the principal. > > This has other strange artifacts (or at least did -- I don't know if > they've been fixed). For example, adding a principal with -randkey and > -disallow_all_tix results in an enabled principal, igoring the > -disallow_all_tix option. Ah! I have a patch for this. I thought I had submitted this to MIT long since, but I can't find any record that this happened. Here's the patch: /afs/umich.edu/user/m/d/mdw/build/krb5.15x/patches/krb5-1.6.3-ankfix1.patch This changes the protocol to use a 'null' password to indicate randkey operation. If a new client talks to an old server, the behavior is to fall back to the old case. Obviously this was for 1.6.3, but it might apply to 1.7. -Marcus Watts ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: addprinc -randkey broken in 1.7?
by Mike Friedman-3
::
Rate this Message:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1 On Wed, 16 Sep 2009 at 13:13 (-0700), Russ Allbery wrote: > "Leonard J. Peirce" <leonard.peirce@...> writes: > >> When running (in kadmin) > >> addprinc -randkey host/host.domain > >> I get a complaint about the password not containing enough character >> classes. Did I miss something? Not really a big deal since I can just >> specify a password. > >> It used to work in 1.6. > > addprinc -randkey hasn't worked for principals that have a password > policy set for somet time for me. The way -randkey works under the hood > is that it adds the principal disabled with a fixed password (which is > indeed pretty bad except that it's very long), then randomizes the key, > and then enables the principal. Russ, I'm running 1.6.3 and don't have this problem. In fact, looking at the code in src/kadmin/cli/kadmin.c, it appears that when '-randkey' is used for addprinc, the password is set initially to a 256 character string containing all possible character values from 1 thru 255 plus a terminating 0 (and then randomized in a separate step). This, I would think, should satisfy any password policy. OK, so maybe I'm misinterpreting the code. But the fact is that I add host principals with -randkey all the time with no problem. I've been doing this for several releases up to and including our current 1.6.3. We may go to 1.7 soon, so possibly something's changed there, but in the meantime, could someone clarify all this? Thanks. _________________________________________________________________________ Mike Friedman Information Services & Technology mikef@... 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://mikef.berkeley.edu http://ist.berkeley.edu _________________________________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkqxaSkACgkQFgKSfLOvZ1R4AQCfXFXtJkRSnWJ674knaWY9lwep v4QAnjeWdiKCZmF3U84Jvc5hcQpLU2px =FcNU -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: addprinc -randkey broken in 1.7?
by Russ Allbery
::
Rate this Message:
Mike Friedman <mikef@...> writes:
> I'm running 1.6.3 and don't have this problem. In fact, looking at the > code in src/kadmin/cli/kadmin.c, it appears that when '-randkey' is used > for addprinc, the password is set initially to a 256 character string > containing all possible character values from 1 thru 255 plus a > terminating 0 (and then randomized in a separate step). This, I would > think, should satisfy any password policy. Well, it's certainly rejected by our password policy. :) I don't know how it interacts with the character class checking. We have to always clear policies on keys before using randkey. -- Russ Allbery (rra@...) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: addprinc -randkey broken in 1.7?
by ghudson-2
::
Rate this Message:
On Wed, 2009-09-16 at 18:39 -0400, Mike Friedman wrote:
> OK, so maybe I'm misinterpreting the code. But the fact is that I add > host principals with -randkey all the time with no problem. I've been > doing this for several releases up to and including our current 1.6.3. > We may go to 1.7 soon, so possibly something's changed there, but in the > meantime, could someone clarify all this? Here's the history of the temporary password used for addprinc -randkey: * Through krb5 1.1, it was "dummy", which would fail any password policy requiring multiple character classes or more than five characters. This might explain Russ's experiences. * In r9210 (October 1996), it was changed to a 255 byte string containing all possible nonzero byte values, which would pass any policy with a reasonable minimum length. I believe this change first hit the field in krb5 1.2. * In r20650 (August 2008), it was changed to 255 weakly random lowercase letters, which would fail any policy requiring multiple character classes. According to the commit log, this was to avoid a problem where the RC4 string-to-key function requires the password to be valid UTF-8. This change first hit the field in krb5 1.7. It would be trivial to fix this regression by picking a temporary password which is valid UTF-8 but still contains all five character classes. I think that will be the best minimal fix for 1.7.1. For the trunk, time permitting, I will review and apply Marcus Watts's patch, which is a more elegant solution. ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: addprinc -randkey broken in 1.7?
by Russ Allbery
::
Rate this Message:
Greg Hudson <ghudson@...> writes:
> Here's the history of the temporary password used for addprinc -randkey: > * Through krb5 1.1, it was "dummy", which would fail any password > policy requiring multiple character classes or more than five > characters. This might explain Russ's experiences. > * In r9210 (October 1996), it was changed to a 255 byte string > containing all possible nonzero byte values, which would pass any policy > with a reasonable minimum length. I believe this change first hit the > field in krb5 1.2. Ah, sorry, my experience is better explained by the fact that we patch the KDC to apply cracklib checks on a password policy, and cracklib fails this password. Sorry about the confusion. -- Russ Allbery (rra@...) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
Re: addprinc -randkey broken in 1.7?
by ghudson-2
::
Rate this Message:
On Wed, 2009-09-16 at 23:29 -0400, Greg Hudson wrote:
> It would be trivial to fix this regression by picking a temporary > password which is valid UTF-8 but still contains all five character > classes. I think that will be the best minimal fix for 1.7.1. For the > trunk, time permitting, I will review and apply Marcus Watts's patch, > which is a more elegant solution. Just to close the loop on this, both the minimal fix and the long-term fix are checked in. We don't currently have a scheduled date for 1.7.1; the schedule for 1.8 is March 2010 plus or minus three months. I failed to credit Marcus Watts in my commit of the long-term fix, which was adapted from his patch. Apologies on that count. ________________________________________________ Kerberos mailing list Kerberos@... https://mailman.mit.edu/mailman/listinfo/kerberos |
|
|
|
| Free embeddable forum powered by Nabble | Forum Help |
