/var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

/var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

Renata Maria Dart


Hi, we recently upgraded our heimdal servers from solaris to linux
RHEL6 and from heimdal 1.4.1 to 1.6.99.  In the process we seem to
have lost the ability for password changes to update
/var/heimdal/kpasswdd.history.  Also, I believe the check for password
goodness has also been lost.  Password changes are getting logged to
/var/heimdal/kpwd5.log, but before the upgrade there were numerous
entries "didn't pass password quality check" and since the upgrade
there are none.  But I don't see any errors to suggest what is
wrong in the kpwd5.log.  Does anyone have any suggestions as to
what is wrong or how to figure out what is wrong?

Thanks,

Renata
Reply | Threaded
Open this post in threaded view
|

Re: /var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

Jeffrey Altman-2
On 6/29/2016 6:39 PM, Renata Maria Dart wrote:

>
>
> Hi, we recently upgraded our heimdal servers from solaris to linux
> RHEL6 and from heimdal 1.4.1 to 1.6.99.  In the process we seem to
> have lost the ability for password changes to update
> /var/heimdal/kpasswdd.history.  Also, I believe the check for password
> goodness has also been lost.  Password changes are getting logged to
> /var/heimdal/kpwd5.log, but before the upgrade there were numerous
> entries "didn't pass password quality check" and since the upgrade
> there are none.  But I don't see any errors to suggest what is
> wrong in the kpwd5.log.  Does anyone have any suggestions as to
> what is wrong or how to figure out what is wrong?
>
> Thanks,
>
> Renata
For the list readership kpasswdd.history is created by a password
quality plugin that is not part of the Heimdal distribution.

Jeffrey Altman



smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: /var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

Henry B Hotz
Ah! Then it’s a question for Russ Allbery or Alf Wachsmann. you need their email addresses?

> On Jun 29, 2016, at 5:22 PM, Jeffrey Altman <[hidden email]> wrote:
>
> On 6/29/2016 6:39 PM, Renata Maria Dart wrote:
>>
>>
>> Hi, we recently upgraded our heimdal servers from solaris to linux
>> RHEL6 and from heimdal 1.4.1 to 1.6.99.  In the process we seem to
>> have lost the ability for password changes to update
>> /var/heimdal/kpasswdd.history.  Also, I believe the check for password
>> goodness has also been lost.  Password changes are getting logged to
>> /var/heimdal/kpwd5.log, but before the upgrade there were numerous
>> entries "didn't pass password quality check" and since the upgrade
>> there are none.  But I don't see any errors to suggest what is
>> wrong in the kpwd5.log.  Does anyone have any suggestions as to
>> what is wrong or how to figure out what is wrong?
>>
>> Thanks,
>>
>> Renata
>
> For the list readership kpasswdd.history is created by a password
> quality plugin that is not part of the Heimdal distribution.
>
> Jeffrey Altman
>
>


Personal: [hidden email]
https://www.linkedin.com/in/hbhotz/

Reply | Threaded
Open this post in threaded view
|

Re: /var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

Russ Allbery-2
"Henry B (Hank) Hotz, CISSP" <[hidden email]> writes:

> Ah! Then it’s a question for Russ Allbery or Alf Wachsmann. you need
> their email addresses?

I don't think SLAC was using krb5-strength.  (Although maybe now would be
a good time to take a look at it?  It was working with the version of
Heimdal Stanford main campus was using when I left, at least.)

Note that the CrackLib code in there is suspect; I really need to
incorporate changes from the revived CrackLib upstream.  Stanford main
campus switched to using the SQLite-based dictionary and edit distance
one check.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|

Re: /var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

Toby Blake

> On 30 Jun 2016, at 01:52, Russ Allbery <[hidden email]> wrote:
>
> "Henry B (Hank) Hotz, CISSP" <[hidden email]> writes:
>
>> Ah! Then it’s a question for Russ Allbery or Alf Wachsmann. you need
>> their email addresses?
>
> I don't think SLAC was using krb5-strength.  (Although maybe now would be
> a good time to take a look at it?  It was working with the version of
> Heimdal Stanford main campus was using when I left, at least.)
>
> Note that the CrackLib code in there is suspect; I really need to
> incorporate changes from the revived CrackLib upstream.  Stanford main
> campus switched to using the SQLite-based dictionary and edit distance
> one check.

Hi Russ, when you say "the CrackLib code in there is suspect", do you mean
in the current krb5-strength?  If so, can you provide details?  Suspect, to
the extent that it should not be used?  Should it be built against a newer
cracklib?  Note that we're using it with MIT kerberos, so hopefully this
isn't off-topic for this list.

Cheers
Toby Blake
School of Informatics
University of Edinburgh


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

Reply | Threaded
Open this post in threaded view
|

Re: /var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

Russ Allbery-2
Toby Blake <[hidden email]> writes:

> Hi Russ, when you say "the CrackLib code in there is suspect", do you
> mean in the current krb5-strength?  If so, can you provide details?
> Suspect, to the extent that it should not be used?  Should it be built
> against a newer cracklib?  Note that we're using it with MIT kerberos,
> so hopefully this isn't off-topic for this list.

The code quality of CrackLib (any version) has historically not been very
good.  I fixed a bunch of corruption bugs in the version embedded in
krb5-strength compared to the (at the time) abandoned upstream.  But since
then someone else took over upstream development and found more bugs.  I
have mail somewhere in my inbox about them, but I haven't looked at them
in any detail for security implications.  (Since switching jobs, I haven't
been doing much with Kerberos, and haven't had time to chase down a lot of
things like that.)

The concern for MIT is stronger because it runs directly inside kadmind,
so any sort of bug might have immediate security implications.  If you
have a fairly recent distribution with the new patches, you may want to
consider building with system CrackLib instead, or downloading the current
version of CrackLib and installing it and then telling krb5-strength that
it's the system version and to build with it.  You do lose some of the
patched-in rules, though.

Alternately, you may want to consider switching to the SQLite database
approach with a good wordlist.  It doesn't do all the complex munging that
CrackLib does, but current thinking on password strength is that those
munging rules aren't as useful as they used to be.  It does generic edit
distance one checks from any dictionary word, which we found to be pretty
effective.

That said, I may be excessively paranoid, since I did hack on the embedded
CrackLib until it ran clean under valgrind.  That doesn't mean there are
no remaining bugs, but I may have already patched or worked around those
issues.

I'm hoping to find some time over the upcoming long US holiday weekend to
try to catch up on some open source stuff.

--
Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
Reply | Threaded
Open this post in threaded view
|

Re: /var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

Renata Maria Dart
In reply to this post by Russ Allbery-2
Hi to Russ and Hank, we were able to resolve our problem...it
was a leftover solaris file that needed to be replaced.  

Thanks for all the extra insight on cracklib,

Renata

 some On Wed, 29 Jun 2016, Russ Allbery wrote:

>"Henry B (Hank) Hotz, CISSP" <[hidden email]> writes:
>
>> Ah! Then it?s a question for Russ Allbery or Alf Wachsmann. you need
>> their email addresses?
>
>I don't think SLAC was using krb5-strength.  (Although maybe now would be
>a good time to take a look at it?  It was working with the version of
>Heimdal Stanford main campus was using when I left, at least.)
>
>Note that the CrackLib code in there is suspect; I really need to
>incorporate changes from the revived CrackLib upstream.  Stanford main
>campus switched to using the SQLite-based dictionary and edit distance
>one check.
>
>--
>Russ Allbery ([hidden email])              <http://www.eyrie.org/~eagle/>
>

Reply | Threaded
Open this post in threaded view
|

Re: /var/heimdal/kpasswdd.history no longer updating after a heimdal upgrade

Toby Blake
In reply to this post by Russ Allbery-2
> On 30 Jun 2016, at 16:53, Russ Allbery <[hidden email]> wrote:
>
> Toby Blake <[hidden email]> writes:
>
>> Hi Russ, when you say "the CrackLib code in there is suspect", do you
>> mean in the current krb5-strength?  If so, can you provide details?
>> Suspect, to the extent that it should not be used?  Should it be built
>> against a newer cracklib?  Note that we're using it with MIT kerberos,
>> so hopefully this isn't off-topic for this list.
>
> The code quality of CrackLib (any version) has historically not been very
> good.  I fixed a bunch of corruption bugs in the version embedded in
> krb5-strength compared to the (at the time) abandoned upstream.  But since
> then someone else took over upstream development and found more bugs.  I
> have mail somewhere in my inbox about them, but I haven't looked at them
> in any detail for security implications.  (Since switching jobs, I haven't
> been doing much with Kerberos, and haven't had time to chase down a lot of
> things like that.)
[...]

Thanks Russ, this is all interesting to consider.

I'm definitely drifting off-topic now, but what we have found useful is
approaching the matter from different perspectives other than that purely of
password quality - e.g.  using fail2ban/iptables/tcpwrappers to guard against
brute-force attacks and automated summaries telling our users when they have
authenticated, and from where - so they can spot potential anomalies.

Cheers
Toby


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.