freeipa

Clone
Source Code
GIT

#8628 kadmin's change_password command with -keepold option doesn't work
Opened 3 years ago by danielmilewskigrupawp. Modified 11 months ago

Open
Close issue as:
fixed wontfix worksforme duplicate insufficientinfo invalid

Issue

kadmin's change_password command with-keepold option doesn't work in FreeIPA. It adds new keys but increments the old keys' kvno as well. I know FreeIPA doesn't support kadmin interface and there is a way to change key for most principals but I believe it should be possible to change key for krbtgt principal too, without breaking existing TGTs (it is possible in MIT Kerberos according to documentation.) Of course, purgekeys command should work as well, or there should be another method for purging keys with older kvnos.

Steps to Reproduce

  1. Run kadmin.local -q 'change_password -randkey -keepold krbtgt/REALM' on FreeIPA server

Actual behavior

# kadmin.local -q 'get_principal krbtgt/REALM'
[...]
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, des3-cbc-sha1
Key: vno 2, arcfour-hmac
Key: vno 2, camellia128-cts-cmac
Key: vno 2, camellia256-cts-cmac
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96

Expected behavior

# kadmin.local -q 'get_principal krbtgt/REALM'
[...]
Key: vno 1, aes256-cts-hmac-sha1-96
Key: vno 1, aes128-cts-hmac-sha1-96
Key: vno 2, des3-cbc-sha1
Key: vno 2, arcfour-hmac
Key: vno 2, camellia128-cts-cmac
Key: vno 2, camellia256-cts-cmac
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96

Version/Release/Distribution

# rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.6.8-5.el7.centos.x86_64
ipa-client-4.6.8-5.el7.centos.x86_64
389-ds-base-1.3.10.2-7.1.el7_9.x86_64
pki-ca-10.5.18-7.el7.noarch
krb5-server-1.15.1-50.el7.x86_64

@rharwood could you please check this? I looked at ipadb_change_pwd() and I don't see us modifying old keys if keepold is true. We just copy what's there.

I forgot to include that the old key is the one that works after using change_password command.

I can reproduce kvno issue on Rawhide but cannot use anymore the old key:

[root@m1 ~]# ipa service-add test/`hostname`
-------------------------------------------
Added service "test/m1.ipa1.test@IPA1.TEST"
-------------------------------------------
  Principal name: test/m1.ipa1.test@IPA1.TEST
  Principal alias: test/m1.ipa1.test@IPA1.TEST
  Managed by: m1.ipa1.test
[root@m1 ~]# ipa-getkeytab -k ./test.keytab -p test/`hostname`
Keytab successfully retrieved and stored in: ./test.keytab
[root@m1 ~]# kadmin.local
Authenticating as principal admin/admin@IPA1.TEST with password.
kadmin.local:  getprinc test/m1.ipa1.test@IPA1.TEST
Principal: test/m1.ipa1.test@IPA1.TEST
Expiration date: [never]
Last password change: Fri Dec 18 18:32:37 EET 2020
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Dec 18 18:32:37 EET 2020 (test/m1.ipa1.test@IPA1.TEST)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, aes256-cts-hmac-sha1-96:special
Key: vno 1, aes128-cts-hmac-sha1-96:special
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local:  cpw -keepold -randkey test/m1.ipa1.test@IPA1.TEST
Key for "test/m1.ipa1.test@IPA1.TEST" randomized.
kadmin.local:  getprinc test/m1.ipa1.test@IPA1.TEST
Principal: test/m1.ipa1.test@IPA1.TEST
Expiration date: [never]
Last password change: Fri Dec 18 18:33:27 EET 2020
Password expiration date: [never]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Fri Dec 18 18:33:27 EET 2020 (admin/admin@IPA1.TEST)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 8
Key: vno 2, aes256-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha1-96
Key: vno 2, aes128-cts-hmac-sha256-128
Key: vno 2, aes256-cts-hmac-sha384-192
Key: vno 2, camellia128-cts-cmac
Key: vno 2, camellia256-cts-cmac
Key: vno 2, aes256-cts-hmac-sha1-96:special
Key: vno 2, aes128-cts-hmac-sha1-96:special
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin.local: ^D
[root@m1 ~]# kinit -k -t ./test.keytab test/`hostname`
kinit: Preauthentication failed while getting initial credentials

It is as if -keepold option is ignored by kadmin.local.

Apologies, neglected to note earlier that I'd reproduced the issue and confirmed it's specific to the freeipa case.

krb5 assembles a new entry in a db-agnostic way and passes it off to ->put_principal(), so it's most likely something inside of ipadb_modify_principal().

(The other possibility, I suppose, is that it's correctly in the DB but not showing up during getprinc - this seems unlikely given he failure indicated above, but an LDAP inspection would also rule it out.)

Somewhat confusingly, the call chain doesn't go through ipadb_change_pwd(). There's a TODO about this in ipadb_entry_to_mods(): https://github.com/freeipa/freeipa/blob/master/daemons/ipa-kdb/ipa_kdb_principals.c#L2294-L2296

I forgot to include that the old key is the one that works after using change_password command.

I was incorrect. The new key is the one that works.

Login to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.