freeipa

Clone
Source Code
GIT

#4914 Krb keys get "wrong" salt when changed via kadmin
Closed: Fixed None Opened 9 years ago by simo.

Closed: Fixed
Reopen Issue

when changing password via kadmin the generated kerberos keys end up using the "Normal" salt instead of the preferred SPECIAL salt (ie random salt).
This causes a REGRESSION in that renaming a user will not allow it to continue to log in but will requiren a password reset as the proper salt will not be sent to the client when the PREAUTH request is sent.

Further info.
I "think" we can easily fix this, by providing password policy info about supported enctypes back to kadmin when it calls the get_policy DAL function.

We currently pass back NULL which is not great.
The only annoyance is that we'll have to translate back enc-salts arrays into strings.
When we do that we should reorder the policy such that "special" enctypes-salts pairs are listed before the "normal" salt pairs.

master:

  • d5b6c83 Detect default encsalts kadmin password change

ipa-4-1:

  • 7077622 Detect default encsalts kadmin password change

master:

  • e2c2d59 Add compatibility function for older libkrb5

ipa-4-1:

  • aae54b2 Add compatibility function for older libkrb5

master:

  • 4d7b630 ipa-kdb: common function to get key encodings/salt types

Metadata Update from @simo:
- Issue assigned to simo
- Issue set to the milestone: FreeIPA 4.2
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
normal
None
None
None
None
defect
None
None
IPA
None
1
None
wanted
mbabinsk
None
https://bugzilla.redhat.com/show_bug.cgi?id=1195642
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.