freeipa

Clone
Source Code
GIT

#8628 kadmin's change_password command with -keepold option doesn't work
Closed: duplicate 16 days ago by jrische. Opened 4 years ago by danielmilewskigrupawp.

Closed: duplicate
Reopen Issue

Issue

kadmin's change_password command with-keepold option doesn't work in FreeIPA. It adds new keys but increments the old keys' kvno as well. I know FreeIPA doesn't support kadmin interface and there is a way to change key for most principals but I believe it should be possible to change key for krbtgt principal too, without breaking existing TGTs (it is possible in MIT Kerberos according to documentation.) Of course, purgekeys command should work as well, or there should be another method for purging keys with older kvnos.

Steps to Reproduce

  1. Run kadmin.local -q 'change_password -randkey -keepold krbtgt/REALM' on FreeIPA server

Actual behavior

# kadmin.local -q 'get_principal krbtgt/REALM'
[...]
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, des3-cbc-sha1
Key: vno 2, arcfour-hmac
Key: vno 2, camellia128-cts-cmac
Key: vno 2, camellia256-cts-cmac
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96

Expected behavior

# kadmin.local -q 'get_principal krbtgt/REALM'
[...]
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 2, des3-cbc-sha1
Key: vno 2, arcfour-hmac
Key: vno 2, camellia128-cts-cmac
Key: vno 2, camellia256-cts-cmac
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96

Version/Release/Distribution

# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.8-5.el7.centos.x86_64
ipa-client-4.6.8-5.el7.centos.x86_64
389-ds-base-1.3.10.2-7.1.el7_9.x86_64
pki-ca-10.5.18-7.el7.noarch
krb5-server-1.15.1-50.el7.x86_64

@rharwood could you please check this? I looked at ipadb_change_pwd() and I don't see us modifying old keys if keepold is true. We just copy what's there.

I forgot to include that the old key is the one that works after using change_password command.

I can reproduce kvno issue on Rawhide but cannot use anymore the old key:

[root@m1 ~]# ipa service-add test/`hostname`
-------------------------------------------
Added service "test/m1.ipa1.test@IPA1.TEST"
-------------------------------------------
  Principal name: test/m1.ipa1.test@IPA1.TEST
  Principal alias: test/m1.ipa1.test@IPA1.TEST
  Managed by: m1.ipa1.test
[root@m1 ~]# ipa-getkeytab -k ./test.keytab -p test/`hostname`
Keytab successfully retrieved and stored in: ./test.keytab
[root@m1 ~]# kadmin.local
Authenticating as principal admin/admin@IPA1.TEST with password.
kadmin.local:  getprinc test/m1.ipa1.test@IPA1.TEST
Principal: test/m1.ipa1.test@IPA1.TEST
Expiration date: [never]
Last password change: Fri Dec 18 18:32:37 EET 2020
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Dec 18 18:32:37 EET 2020 (test/m1.ipa1.test@IPA1.TEST)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96:special
Key: vno 1, aes128-cts-hmac-sha1-96:special
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local:  cpw -keepold -randkey test/m1.ipa1.test@IPA1.TEST
Key for "test/m1.ipa1.test@IPA1.TEST" randomized.
kadmin.local:  getprinc test/m1.ipa1.test@IPA1.TEST
Principal: test/m1.ipa1.test@IPA1.TEST
Expiration date: [never]
Last password change: Fri Dec 18 18:33:27 EET 2020
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Dec 18 18:33:27 EET 2020 (admin/admin@IPA1.TEST)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha256-128
Key: vno 2, aes256-cts-hmac-sha384-192
Key: vno 2, camellia128-cts-cmac
Key: vno 2, camellia256-cts-cmac
Key: vno 2, aes256-cts-hmac-sha1-96:special
Key: vno 2, aes128-cts-hmac-sha1-96:special
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local: ^D
[root@m1 ~]# kinit -k -t ./test.keytab test/`hostname`
kinit: Preauthentication failed while getting initial credentials

It is as if -keepold option is ignored by kadmin.local.

Apologies, neglected to note earlier that I'd reproduced the issue and confirmed it's specific to the freeipa case.

krb5 assembles a new entry in a db-agnostic way and passes it off to ->put_principal(), so it's most likely something inside of ipadb_modify_principal().

(The other possibility, I suppose, is that it's correctly in the DB but not showing up during getprinc - this seems unlikely given he failure indicated above, but an LDAP inspection would also rule it out.)

Somewhat confusingly, the call chain doesn't go through ipadb_change_pwd(). There's a TODO about this in ipadb_entry_to_mods(): https://github.com/freeipa/freeipa/blob/master/daemons/ipa-kdb/ipa_kdb_principals.c#L2294-L2296

I forgot to include that the old key is the one that works after using change_password command.

I was incorrect. The new key is the one that works.

Metadata Update from @jrische:
- Issue assigned to jrische
8 months ago

Metadata Update from @jrische:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-49441 https://issues.redhat.com/browse/RHEL-49446 https://issues.redhat.com/browse/RHEL-49448
8 months ago

Metadata Update from @jrische:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-49441 https://issues.redhat.com/browse/RHEL-49446 https://issues.redhat.com/browse/RHEL-49448 https://issues.redhat.com/browse/RHEL-49450 (was: https://issues.redhat.com/browse/RHEL-49441 https://issues.redhat.com/browse/RHEL-49446 https://issues.redhat.com/browse/RHEL-49448)
8 months ago

Metadata Update from @jrische:
- Issue marked as depending on: #9370
7 months ago

Metadata Update from @jrische:
- Custom field blocking adjusted to 9370
- Issue unmarked as depending on: #9370
- Issue marked as blocking: #9370
7 months ago

Metadata Update from @jrische:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7712
16 days ago

Metadata Update from @jrische:
- Custom field blockedby adjusted to #9370
- Custom field blocking reset (from 9370)
- Issue unmarked as blocking: #9370
16 days ago

Metadata Update from @jrische:
- Custom field blockedby adjusted to 9370 (was: #9370)
- Custom field blocking adjusted to 9370
- Issue unmarked as depending on: #9370
- Issue marked as blocking: #9370
16 days ago

Metadata Update from @jrische:
- Custom field blocking reset (from 9370)
- Issue unmarked as blocking: #9370
- Issue marked as depending on: #9370
16 days ago

Metadata Update from @jrische:
- Custom field blockedby reset (from 9370)
- Issue unmarked as depending on: #9370
16 days ago

Metadata Update from @jrische:
- Custom field affects_doc adjusted to on
- Custom field knownissue adjusted to on
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)
16 days ago

This ticket is a duplicate of #9370.

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
on
None
on
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/7712
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.