Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 155265 - Kerberos password change fails, but user is told that it succeeded
Summary: Kerberos password change fails, but user is told that it succeeded
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5
Version: 3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-04-18 18:14 UTC by Jason Tibbitts
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: 2.2.11-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-02-08 16:19:12 UTC

Attachments (Terms of Use)
/etc/pam.d/system-auth (deleted)
2005-04-18 18:14 UTC, Jason Tibbitts
no flags Details

Description Jason Tibbitts 2005-04-18 18:14:27 UTC
I'm runing stock FC3 with pam_krb5-2.1.2-1.  My server is an FC2 machine running

I'm seeing password changes via "passwd" appear to succeed with the message:

passwd: all authentication tokens updated successfully.

and the logged entry:

passwd[6158]: pam_krb5[6158]: password changed for XXXX

but the server logs errors like:

kadmind[2030](Notice): chpw request from XXXX for XXXX: Cannot reuse password

kadmind[2030](Notice): chpw request from XXXX for XXXX: Password is too short

It seems the error is not being propagated back to the user.  If I use a
password that doesn't trigger the length or reuse errors, the change succeeds.

I'll attach my /etc/pam.d/system-auth.

Comment 1 Jason Tibbitts 2005-04-18 18:14:27 UTC
Created attachment 113336 [details]

Comment 2 Jason Tibbitts 2005-04-18 20:07:24 UTC
I built and installed pam_krb5-2.1.5-1; the problem is still present.

Comment 3 Jason Tibbitts 2005-04-19 16:39:39 UTC
I read over the pam_krb5 source and it looks like everything is done by calling
krb5_change_password which is part of Kerberos, and the return , so I built and
installd krb5 1.4-3 from Rawhide.  The behavior still did not change.  However,
I note that using kpasswd works fine and properly reports errors.

Comment 4 Matthew Miller 2006-07-10 20:22:54 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Comment 5 Jason Tibbitts 2007-02-08 16:19:12 UTC
I don't believe I can reproduce this with a modern release.

Note You need to log in before you can comment on or make changes to this bug.