kadmind: password history interaction with keepold

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

kadmind: password history interaction with keepold

Tomas Kuthan
Hi,

after some while I finally got back to working on password history in
LDAP KDB back-end [1].

I have ran into a corner case and I am not really sure if the behavior
in the back-end agnostic code is correct with respect to use of -keepold
option with principals with password history.
In my opinion, with -keepold, old keys are retained in password history
for too long.

To reproduce:

kadmin.local:  addpol -history 2 pol
kadmin.local:  addprinc -policy pol -pw aaaa princ    (0)
Principal "[hidden email]" created.
kadmin.local:  cpw -keepold -pw bbbb princ            (1)
Password for "[hidden email]" changed.
kadmin.local:  cpw -pw cccc princ                     (2)
Password for "[hidden email]" changed.
kadmin.local:  cpw -pw aaaa princ                     (3)
change_password: Cannot reuse password while changing password for
"[hidden email]".

I would have expected the third change to succeed, because my last and
last-but-one passwords were cccc and bbbb respectively.

But in fact the contents of password history changed like this:
0) (empty)
1) aaaa
2) aaaa|aaaa,bbbb
3) aaa,bbb|cccc

I would find it more logical, if only the keys with the highest kvno
were added to history in each step.
Like this:
0) (empty)
1) aaaa
2) aaaa|bbbb
3) bbbb|cccc

Is current behavior intentional? Or is it a bug?

Thanks,
Tomas

[1] https://github.com/krb5/krb5/pull/132
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kadmind: password history interaction with keepold

Greg Hudson
On 07/23/2014 08:37 AM, Tomas Kuthan wrote:
> I have ran into a corner case and I am not really sure if the behavior
> in the back-end agnostic code is correct with respect to use of -keepold
> option with principals with password history.
> In my opinion, with -keepold, old keys are retained in password history
> for too long.

Sorry, I missed this message somehow.  I agree completely; only the most
recent kvno should be stored in the history record.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev