-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi, we recently updated our master KDC from Debian Lenny to Debian Squeeze. This included a kerberos upgrade from 1.6 to 1.8. After the update several users were not able anymore to change their passwords, no matter if kpasswd or kadmin.local was used: change_password: Message size is incompatible with encryption type while changing password for "[email protected]". All our user principals use a policy which sets a password history of 6. The problem disappeared as we set the history to 1, so that no history was used at all. Further investigation showed the involved code parts: #0 krb5_k_decrypt (context=0x6129f0, key=0x636fc0, usage=0, ivec=0x0, input=0x7fffffffc010, output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:54 #1 0x00007ffff6c31739 in krb5_c_decrypt (context=0x6129f0, keyblock=0x7fffffffc2f0, usage=0, ivec=0x0, input=0x7fffffffc010, output=0x7fffffffc030) at ../../../../src/lib/crypto/krb/decrypt.c:100 #2 0x00007ffff77a4171 in krb5_dbekd_def_decrypt_key_data (context=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0, dbkey=0x7fffffffc100, keysalt=0x0) at ../../../src/lib/kdb/decrypt_key.c:92 #3 0x00007ffff77a3c67 in krb5_dbekd_decrypt_key_data (kcontext=0x6129f0, mkey=0x7fffffffc2f0, key_data=0x6338c0, dbkey=0x7fffffffc100, keysalt=0x0) at ../../../src/lib/kdb/kdb5.c:2481 #4 0x00007ffff79c27be in check_pw_reuse (context=0x6129f0, mkey=0x6171b0, hist_keyblock=0x7fffffffc2f0, n_new_key_data=8, new_key_data=0x633d50, n_pw_hist_data=5, pw_hist_data=0x633650) at ../../../../src/lib/kadm5/srv/svr_principal.c:988 #5 0x00007ffff79c3441 in kadm5_chpass_principal_3 (server_handle=0x614830, principal=0x6335c0, keepold=0, n_ks_tuple=0, ks_tuple=0x0, password=0x611940 "Blafasel123") at ../../../../src/lib/kadm5/srv/svr_principal.c:1454 #6 0x00007ffff79c2ed1 in kadm5_chpass_principal (server_handle=0x614830, principal=0x6335c0, password=0x611940 "Blafasel123") at ../../../../src/lib/kadm5/srv/svr_principal.c:1334 #7 0x0000000000404849 in kadmin_cpw (argc=1, argv=0x629fc8) at ../../../src/kadmin/cli/kadmin.c:783 #8 0x00007ffff7bdbeda in ?? () from /lib/libss.so.2 #9 0x00007ffff7bdbfc5 in ss_execute_line () from /lib/libss.so.2 #10 0x00007ffff7bdc3ff in ss_listen () from /lib/libss.so.2 #11 0x00000000004077c5 in main (argc=1, argv=0x7fffffffe828) at ../../../src/kadmin/cli/ss_wrapper.c:61 (gdb) p input->ciphertext.length $1 = 24 (gdb) p header_len $2 = 8 (gdb) p trailer_len $3 = 20 (gdb) p input->enctype $4 = 511 (gdb) p ktp->etype $5 = 16 So the history key type is Triple-DES. When we setup a new test realm we found a DES key was used instead, just like the master key. kadmin.local: getprinc kadmin/history Principal: kadmin/[email protected] Expiration date: [never] Last password change: Tue Dec 10 15:51:20 CET 2002 Password expiration date: [none] Maximum ticket life: 0 days 00:01:04 Maximum renewable life: 0 days 00:00:00 Last modified: Tue Dec 10 15:51:20 CET 2002 ([email protected]) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, DES cbc mode with CRC-32, no salt MKey: vno 1 Attributes: Policy: [none] I have no idea why our realm database has these two enctypes for the kadmin/history principal, but it has. The 1.8 code seems to have a serious problem with that as it causes KRB5_BAD_MSIZE to be thrown. How can we deal with this mess? Is it possible to remove the Triple DES key from the kadmin/history principal? Or should the code be changed to deal correctly with this issue? I would like to reenable the password history but that is currently only possible if every user changes his password (which is a problem with > 25000 users). Thanks for help, Christopher P.S.: This bug also exists as Debian bug #660869. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iD8DBQFPVgo1hxiCJKeLY0IRAgyxAKCtVWGP8tO4+BYvsTfjQ9GDsR8PQACgmbXZ CLZRsMckWUsAhaZUrrZLIwE= =ya8E -----END PGP SIGNATURE----- ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
