cpw ignoring password policies

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

cpw ignoring password policies

Dario García Díaz-Miguel
Hi there,

I'm afraid we need some help from you.

We are trying to integrate a Kerberized OpenLDAP environment with a LDAP user friendly management interface web application (LAM). This web application allows to use some custom scripts since the modules included by default are not suitable for how our environment works due to the saslauthd passthrough implementation we used.

One of the custom script is dedicated for changing principals' password. This custom script calls kadmin to do a cpw using a service principal and a dedicated keytab with the permissions correctly granted. We need for this task a totally non-interactive command since the custom script receives the variables from the php application form.

kadmin -k -t $KEYTABLOCATION -p $SERVICEPRINCIPAL -q "cpw $PRINCIPAL -pw $PASSWORD"



What we found is that this command ignores the password policy assigned to the principal, including all the complexity rules and history options. No matter if the command is launched in a kadmin console interactive mode, policies are totally ignored.

If we use:

kpasswd $PRINCIPAL



Then all the password policy rules are respected. This would be ideal if we could use it in a non-interactive mode receiving the environments from the php form, but I'm afraid is not possible (or we couldn't find or figure out how to do it) since it asks you for the old and new password and it's confirmation.

Any idea about how could we proceed? Is there a way to force the cpw command to apply an already existing policy?

Thank you so much for your time.

Kind Regards.


[cid:image001.gif@01D6709D.48FE73A0]

Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division

GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com <http://www.gmv.com/>
[cid:image002.png@01D6709D.48FE73A0]<http://www.facebook.com/infoGMV>

[cid:image003.png@01D6709D.48FE73A0]<http://www.twitter.com/infoGMV_es>

[cid:image004.png@01D6709D.48FE73A0]<http://www.youtube.com/infoGMV>

[cid:image005.png@01D6709D.48FE73A0]<https://www.linkedin.com/company/gmv>

[cid:image006.png@01D6709D.48FE73A0]<http://www.gmv.com/en/RSS>


[cid:image007.png@01D6709D.48FE73A0]<http://www.gmv.com/blog_gmv/language/en/>





P Please consider the environment before printing this e-mail.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

image001.gif (7K) Download Attachment
image002.png (3K) Download Attachment
image003.png (3K) Download Attachment
image004.png (4K) Download Attachment
image005.png (3K) Download Attachment
image006.png (4K) Download Attachment
image007.png (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: cpw ignoring password policies

Greg Hudson
On 8/12/20 5:39 AM, Dario García Díaz-Miguel wrote:
> kadmin -k -t $KEYTABLOCATION -p $SERVICEPRINCIPAL -q "cpw $PRINCIPAL -pw $PASSWORD"
>
> What we found is that this command ignores the password policy assigned to the principal, including all the complexity rules and history options. No matter if the command is launched in a kadmin console interactive mode, policies are totally ignored.
>
> If we use:
>
> kpasswd $PRINCIPAL

That's unexpected, and it's not the behavior I see in a test environment:

$ kadmin.local addpol -minlength 6 testpol
$ kadmin.local modprinc -policy testpol user
$ kadmin -k -p user/admin cpw -pw pw user
change_password: Password is too short while changing password for
"[hidden email]".
$ kadmin.local cpw -pw pw user
change_password: Password is too short while changing password for
"[hidden email]".

What software and version is running on the kadmin server?
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: cpw ignoring password policies

Dario García Díaz-Miguel
Hello Greg,

Thank you so much for your quick reply.
What I found with some tests is that while length and character classes rules are being correctly applying using cpw, other rules like minlife are not respected.
For example, I set a policy with the following rules:

Policy: TEST
Maximum password life: 2629800
Minimum password life: 864000
Minimum password length: 10
Minimum number of password character classes: 3
Number of old keys kept: 4
Maximum password failures before lockout: 4
Password failure count reset interval: 0 days 03:00:00
Password lockout duration: 0 days 03:00:00

I can change all the time the password of the principal with that policy applied despite the minimum password life described.
Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module.

Using kpasswd, then the reject message is correctly prompted:

Password change rejected: Password cannot be changed because it was changed too recently. Please wait until Sun Aug 23 07:42:10 2020 before you change it.
If you need to change your password before then, contact your system security administrator.

I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied.
But then, Any ideas about how could we proceed?

Our kerberos version: 1.12.5-40.34.1
OS: Suse 12 SP3

We are not able to install more recent software due to some customer requirements, although  would be apprecited to know if further versions have a different behavior.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com










-----Mensaje original-----
De: Greg Hudson [mailto:[hidden email]]
Enviado el: miércoles, 12 de agosto de 2020 17:52
Para: Dario García Díaz-Miguel <[hidden email]>; [hidden email]
Asunto: Re: cpw ignoring password policies

On 8/12/20 5:39 AM, Dario García Díaz-Miguel wrote:
> kadmin -k -t $KEYTABLOCATION -p $SERVICEPRINCIPAL -q "cpw $PRINCIPAL -pw $PASSWORD"
>
> What we found is that this command ignores the password policy assigned to the principal, including all the complexity rules and history options. No matter if the command is launched in a kadmin console interactive mode, policies are totally ignored.
>
> If we use:
>
> kpasswd $PRINCIPAL

That's unexpected, and it's not the behavior I see in a test environment:

$ kadmin.local addpol -minlength 6 testpol $ kadmin.local modprinc -policy testpol user $ kadmin -k -p user/admin cpw -pw pw user
change_password: Password is too short while changing password for "[hidden email]".
$ kadmin.local cpw -pw pw user
change_password: Password is too short while changing password for "[hidden email]".

What software and version is running on the kadmin server?

P Please consider the environment before printing this e-mail.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: cpw ignoring password policies

Greg Hudson
On 8/13/20 1:51 AM, Dario García Díaz-Miguel wrote:
> I can change all the time the password of the principal with that policy applied despite the minimum password life described.

That's true.  The kadmin server code deliberately only checks the
minimum life if a principal is changing its own password.

> Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module.

Right, LDAP password history is implemented in release 1.15 but not in 1.12.

> I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied.
> But then, Any ideas about how could we proceed?

I guess you could print a kadmin ticket for the user from the KDB and
then authenticate with it:

    kinit -k -c somefilename -t KDB: -S kadmin/admin username
    kadmin -c somefilename -q "cpw -pw password username"

kinit -t KDB: support was added in release 1.9, so should be available.
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: cpw ignoring password policies

Dario García Díaz-Miguel
Hi Greg,

Thank you so much for your Support and quick replies, really appreciated.

> That's true.  The kadmin server code deliberately only checks the minimum life if a principal is changing its own password.

Indeed. It makes sense.

> Right, LDAP password history is implemented in release 1.15 but not in 1.12.

I will discuss this point with the project leaders to see if we can upgrade the krb5 version since this is a requirement as well as some supported features in further version such as spake preauth or aes256.

> I guess you could print a kadmin ticket for the user from the KDB and then authenticate with it:
>
> kinit -k -c somefilename -t KDB: -S kadmin/admin username
> kadmin -c somefilename -q "cpw -pw password username"
> kinit -t KDB: support was added in release 1.9, so should be available.

Perfect. This seems to work for me when running the commands as root user. It checks the minimum password life and rejects the change.
But, since the user who ran the script files is wwwrun, I'm getting the following message:

$/usr/lib/mit/bin/kinit -k -c /home/wwwrun/arashimkrbcc -t KDB: -S kadmin/admin arashim
 kinit: No such file or directory while setting up KDB keytab for realm TEST.COM

I've tried with several users and path locations for the cache credentials file but not succedeed. Using sudo before command works flawlessly.
What files or directories this command checks other than the cache credentials created, requiring to grant some permissions to the user who is running it?
According to kinit man, the "KDB:" option looks directly inside the Kerberos Database. So, this should be a permissions issue to access to the Kerberos Database. But honestly, I don't know what files and which should I grant to read to wwwrun to make this work avoiding to hardcode the root password in plain text. I'm not being able to track it on logs either.
Since we built the Kerberos Database on OpenLDAP krbContainer, what file is the one which non-root user should be able to read in order to make this work?

Another option regarding with the idea you sent me could be create a keytab owned by wwwrun to store all users keys and use. However I would prefer to ask the ticket looking directly into the KDB instead of using another keytab for all users. It could be a headache to maintain and totally a bad practice.

Again, thank you so much for your help.
Kind Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-----Mensaje original-----
De: Greg Hudson [mailto:[hidden email]]
Enviado el: jueves, 13 de agosto de 2020 17:36
Para: Dario García Díaz-Miguel <[hidden email]>; [hidden email]
Asunto: Re: cpw ignoring password policies

On 8/13/20 1:51 AM, Dario García Díaz-Miguel wrote:
> I can change all the time the password of the principal with that policy applied despite the minimum password life described.

That's true.  The kadmin server code deliberately only checks the minimum life if a principal is changing its own password.

> Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module.

Right, LDAP password history is implemented in release 1.15 but not in 1.12.

> I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied.
> But then, Any ideas about how could we proceed?

I guess you could print a kadmin ticket for the user from the KDB and then authenticate with it:

    kinit -k -c somefilename -t KDB: -S kadmin/admin username
    kadmin -c somefilename -q "cpw -pw password username"

kinit -t KDB: support was added in release 1.9, so should be available.

P Please consider the environment before printing this e-mail.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

RE: cpw ignoring password policies

Dario García Díaz-Miguel
Hi again Greg,

Please forget my last email. I already found the files that wwwrun should be able to run. I will create a special group for reading the files inside /var/lib/kerberos/krb5kdc/
Now wwwrun acquires correctly the ticket.

Thank you so much.
Kind Regards.

Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-----Mensaje original-----
De: Dario García Díaz-Miguel
Enviado el: viernes, 14 de agosto de 2020 9:12
Para: Greg Hudson <[hidden email]>; [hidden email]
Asunto: RE: cpw ignoring password policies

Hi Greg,

Thank you so much for your Support and quick replies, really appreciated.

> That's true.  The kadmin server code deliberately only checks the minimum life if a principal is changing its own password.

Indeed. It makes sense.

> Right, LDAP password history is implemented in release 1.15 but not in 1.12.

I will discuss this point with the project leaders to see if we can upgrade the krb5 version since this is a requirement as well as some supported features in further version such as spake preauth or aes256.

> I guess you could print a kadmin ticket for the user from the KDB and then authenticate with it:
>
> kinit -k -c somefilename -t KDB: -S kadmin/admin username kadmin -c
> somefilename -q "cpw -pw password username"
> kinit -t KDB: support was added in release 1.9, so should be available.

Perfect. This seems to work for me when running the commands as root user. It checks the minimum password life and rejects the change.
But, since the user who ran the script files is wwwrun, I'm getting the following message:

$/usr/lib/mit/bin/kinit -k -c /home/wwwrun/arashimkrbcc -t KDB: -S kadmin/admin arashim
 kinit: No such file or directory while setting up KDB keytab for realm TEST.COM

I've tried with several users and path locations for the cache credentials file but not succedeed. Using sudo before command works flawlessly.
What files or directories this command checks other than the cache credentials created, requiring to grant some permissions to the user who is running it?
According to kinit man, the "KDB:" option looks directly inside the Kerberos Database. So, this should be a permissions issue to access to the Kerberos Database. But honestly, I don't know what files and which should I grant to read to wwwrun to make this work avoiding to hardcode the root password in plain text. I'm not being able to track it on logs either.
Since we built the Kerberos Database on OpenLDAP krbContainer, what file is the one which non-root user should be able to read in order to make this work?

Another option regarding with the idea you sent me could be create a keytab owned by wwwrun to store all users keys and use. However I would prefer to ask the ticket looking directly into the KDB instead of using another keytab for all users. It could be a headache to maintain and totally a bad practice.

Again, thank you so much for your help.
Kind Regards.


Dario Garcia
Díaz-Miguel
GGCS-SES Unit
GGCS SKMF Infrastructure Division
GMV
C\ de Isaac Newton, 11
28760, Tres Cantos, Madrid
España
+34 918 07 21 00
+34 918 07 21 99
www.gmv.com











-----Mensaje original-----
De: Greg Hudson [mailto:[hidden email]] Enviado el: jueves, 13 de agosto de 2020 17:36
Para: Dario García Díaz-Miguel <[hidden email]>; [hidden email]
Asunto: Re: cpw ignoring password policies

On 8/13/20 1:51 AM, Dario García Díaz-Miguel wrote:
> I can change all the time the password of the principal with that policy applied despite the minimum password life described.

That's true.  The kadmin server code deliberately only checks the minimum life if a principal is changing its own password.

> Also I'm able to apply old passwords and the history is not being respected, but I'm afraid that's the expected behavior because of the LDAP database module.

Right, LDAP password history is implemented in release 1.15 but not in 1.12.

> I understand that cpw is more like the administration password changing tool and in order to be able to change the password whenever it requires by the system administrator, the minimum password life is not being applied.
> But then, Any ideas about how could we proceed?

I guess you could print a kadmin ticket for the user from the KDB and then authenticate with it:

    kinit -k -c somefilename -t KDB: -S kadmin/admin username
    kadmin -c somefilename -q "cpw -pw password username"

kinit -t KDB: support was added in release 1.9, so should be available.

P Please consider the environment before printing this e-mail.


P Please consider the environment before printing this e-mail.

________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos