Package: libpam-krb5
Version: 2.6-1
Changing Kerberos passwords via PAM is broken. This applies both to
libpam-krb5 and to libpam-heimdal.
I have
password sufficient pam_krb5.so
in my /etc/pam.d/common-password file, and
[libdefaults]
forwardable = true
in my /etc/krb5.conf.
If I try to change a test user's password with passwd, I get the
following in the (heimdal-kdc 0.7.2.dfsg.1-10) KDC's log:
2007-08-29T13:49:03 AS-REQ [EMAIL PROTECTED] from IPv4:xx.yy.zz.tt for
kadmin/[EMAIL PROTECTED]
2007-08-29T13:49:03 Looking for ENC-TS pa-data -- [EMAIL PROTECTED]
2007-08-29T13:49:03 ENC-TS Pre-authentication succeeded -- [EMAIL PROTECTED]
2007-08-29T13:49:03 Using aes256-cts-hmac-sha1-96/des3-cbc-sha1
2007-08-29T13:49:03 Requested flags: renewable, proxiable, forwardable
2007-08-29T13:49:03 Ticket may not be forwardable -- [EMAIL PROTECTED]
2007-08-29T13:49:03 sending 147 bytes to IPv4:xx.yy.zz.tt
kpasswd (from heimdal-clients) doesn't suffer from this problem.
Looking at the source code, the problem appears to be that
pamk5_password_auth() (in support.c) blindly sets the "forwardable"
request flag even when the requested principal is kadmin/changepw.
Maybe the code in support.c that sets ticket options needs to be wrapped
in an
if (in_tkt_service == NULL) {
}
block? See the comment that says "the only interesting non-null case is
kadmin/changepw for changing passwords".
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
