Package: krb5-kdc Version: 1.8.3+dfsg-4squeeze5 Severity: normal Tags: upstream
Hi, we recently updated our master KDC from Lenny to Squeeze. After the update several users were not able anymore to change their passwords, no matter if kpasswd or kadmin.local w as used: change_password: Message size is incompatible with encryption type while changing password for "[email protected]". All our user principals use a policy which sets a password history of 6. The problem disappeared as we set the history to 1, so that no history was used at all. Further investigation showed the involved code parts: #0 krb5_k_decrypt (context=0x6129f0, key=0x636fc0, usage=0, ivec=0x0, input=0x7fffffffc010, output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:54 #1 0x00007ffff6c31739 in krb5_c_decrypt (context=0x6129f0, keyblock=0x7fffffffc2f0, usage=0, ivec=0x0, input=0x7fffffffc010, output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:100 #2 0x00007ffff77a4171 in krb5_dbekd_def_decrypt_key_data (context=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0, dbkey=0x7fffffffc100, keysalt=0x0) at ../../../src/lib/kdb/decrypt_key.c:92 #3 0x00007ffff77a3c67 in krb5_dbekd_decrypt_key_data (kcontext=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0, dbkey=0x7fffffffc100, keysalt=0x0) at ../../../src/lib/kdb/kdb5.c:2481 #4 0x00007ffff79c27be in check_pw_reuse (context=0x6129f0, mkey=0x6171b0, hist_keyblock=0x7fffffffc2f0, n_new_key_data=8, new_key_data=0x633d50, n_pw_hist_data=5, pw_hist_data=0x633650) at ../../../../src/lib/kadm5/srv/svr_principal.c:988 #5 0x00007ffff79c3441 in kadm5_chpass_principal_3 (server_handle=0x614830, principal=0x6335c0, keepold=0, n_ks_tuple=0, ks_tuple=0x0, password=0x611940 "Blafasel123") at ../../../../src/lib/kadm5/srv/svr_principal.c:1454 #6 0x00007ffff79c2ed1 in kadm5_chpass_principal (server_handle=0x614830, principal=0x6335c0, password=0x611940 "Blafasel123") at ../../../../src/lib/kadm5/srv/svr_principal.c:1334 #7 0x0000000000404849 in kadmin_cpw (argc=1, argv=0x629fc8) at ../../../src/kadmin/cli/kadmin.c:783 #8 0x00007ffff7bdbeda in ?? () from /lib/libss.so.2 #9 0x00007ffff7bdbfc5 in ss_execute_line () from /lib/libss.so.2 #10 0x00007ffff7bdc3ff in ss_listen () from /lib/libss.so.2 #11 0x00000000004077c5 in main (argc=1, argv=0x7fffffffe828) at ../../../src/kadmin/cli/ss_wrapper.c:61 (gdb) p input->ciphertext.length $1 = 24 (gdb) p header_len $2 = 8 (gdb) p trailer_len $3 = 20 (gdb) p input->enctype $4 = 511 (gdb) p ktp->etype $5 = 16 So the history key type is Triple-DES. When we setup a new test realm we found a DES key was used instead, just like the master key. kadmin.local: getprinc kadmin/history Principal: kadmin/[email protected] Expiration date: [never] Last password change: Tue Dec 10 15:51:20 CET 2002 Password expiration date: [none] Maximum ticket life: 0 days 00:01:04 Maximum renewable life: 0 days 00:00:00 Last modified: Tue Dec 10 15:51:20 CET 2002 ([email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt MKey: vno 1 Attributes: Policy: [none] I have no idea why our realm database has these two enctypes for the kadmin/history principal, but it has. The code seems to have a serious problem with that as it causes KRB5_BAD_MSIZE to be thrown. How can we deal with this mess? Is it possible to remove the Triple DES key from the kadmin/history principal? Or should the code be changed to deal correctly with this issue? I would like to reenable the password history but that is currently only possible if every user changes his password (which is a problem with > 25000 users). Thanks for help, Christopher -- System Information: Debian Release: 6.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/dash Versions of packages krb5-kdc depends on: ii debconf [debconf-2. 1.5.36.1 Debian configuration management sy ii krb5-config 2.2 Configuration files for Kerberos V ii krb5-user 1.8.3+dfsg-4squeeze5 Basic programs to authenticate usi ii libc6 2.11.3-3 Embedded GNU C Library: Shared lib ii libcomerr2 1.41.12-4stable1 common error description library ii libgssapi-krb5-2 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - k ii libgssrpc4 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - G ii libk5crypto3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - C ii libkadm5clnt-mit7 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - A ii libkadm5srv-mit7 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - K ii libkdb5-4 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - K ii libkeyutils1 1.4-1 Linux Key Management Utilities (li ii libkrb5-3 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries ii libkrb5support0 1.8.3+dfsg-4squeeze5 MIT Kerberos runtime libraries - S ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip krb5-kdc recommends no packages. Versions of packages krb5-kdc suggests: ii krb5-admin-server 1.8.3+dfsg-4squeeze5 MIT Kerberos master server (kadmin pn krb5-kdc-ldap <none> (no description available) pn openbsd-inetd | ine <none> (no description available) -- debconf information excluded -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
