[Freeipa-devel] [PATCH] #412 Make always use of special salt type

Simo Sorce Wed, 27 Oct 2010 14:13:46 -0700

By using the special salt type and generating a random salt we can
rename user's principal name without invalidating their password.


This works only if pre-authentication is required, but that's how we
configure our server anyway.

This patch does not disallow "normal" salts, but if used they will
prevent renames from working correctly.
By default special is used.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

>From 2accddf2bb85ea41e73c2ff48f4c39fc4c6b5e90 Mon Sep 17 00:00:00 2001
From: Simo Sorce <sso...@redhat.com>
Date: Wed, 27 Oct 2010 15:05:56 -0400
Subject: [PATCH] pwd-plugin: Always use a special salt by default.

This should make renamed users able to keep using old credentials as the salt
is not derived from the principal name but is always a random quantity.

https://fedorahosted.org/freeipa/ticket/412
---
 .../ipa-pwd-extop/ipapwd_encoding.c                |   50 +++++++++-----------
 install/share/default-keytypes.ldif                |   14 +++--
 2 files changed, 30 insertions(+), 34 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
index 462622a518c60574d15399e025d60655ca21c2f0..527e178fe01b9f775fb0522f81eeedfcbde0ee50 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -350,35 +350,29 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
 
         case KRB5_KDB_SALTTYPE_NORMAL:
 
-            /* If pre auth is required we can set a random salt, otherwise
-             * we have to use a more conservative approach and set the salt
-             * to be REALMprincipal (the concatenation of REALM and principal
-             * name without any separator) */
-#if 0
-            if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) {
-                salt.length = KRB5P_SALT_SIZE;
-                salt.data = malloc(KRB5P_SALT_SIZE);
-                if (!salt.data) {
-                    LOG_OOM();
-                    goto enc_error;
-                }
-                krberr = krb5_c_random_make_octets(krbctx, &salt);
-                if (krberr) {
-                    LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
-                              krb5_get_error_message(krbctx, krberr));
-                    goto enc_error;
-                }
-            } else {
-#endif
-                krberr = krb5_principal2salt(krbctx, princ, &salt);
-                if (krberr) {
-                    LOG_FATAL("krb5_principal2salt failed [%s]\n",
-                              krb5_get_error_message(krbctx, krberr));
-                    goto enc_error;
-                }
-#if 0
+            krberr = krb5_principal2salt(krbctx, princ, &salt);
+            if (krberr) {
+                LOG_FATAL("krb5_principal2salt failed [%s]\n",
+                          krb5_get_error_message(krbctx, krberr));
+                goto enc_error;
+            }
+            break;
+
+        case KRB5_KDB_SALTTYPE_SPECIAL:
+
+            /* make random salt */
+            salt.length = KRB5P_SALT_SIZE;
+            salt.data = malloc(KRB5P_SALT_SIZE);
+            if (!salt.data) {
+                LOG_OOM();
+                goto enc_error;
+            }
+            krberr = krb5_c_random_make_octets(krbctx, &salt);
+            if (krberr) {
+                LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
+                          krb5_get_error_message(krbctx, krberr));
+                goto enc_error;
             }
-#endif
             break;
 
         case KRB5_KDB_SALTTYPE_V4:
diff --git a/install/share/default-keytypes.ldif b/install/share/default-keytypes.ldif
index 8561b98dcc26bfc71ee6455dec391ee023b10fe7..8093b6989851ad632e4e5954496f5ae8cde10ddd 100644
--- a/install/share/default-keytypes.ldif
+++ b/install/share/default-keytypes.ldif
@@ -3,9 +3,13 @@ dn: cn=$REALM,cn=kerberos,$SUFFIX
 changetype: modify
 add: krbSupportedEncSaltTypes
 krbSupportedEncSaltTypes: aes256-cts:normal
+krbSupportedEncSaltTypes: aes256-cts:special
 krbSupportedEncSaltTypes: aes128-cts:normal
+krbSupportedEncSaltTypes: aes128-cts:special
 krbSupportedEncSaltTypes: des3-hmac-sha1:normal
+krbSupportedEncSaltTypes: des3-hmac-sha1:special
 krbSupportedEncSaltTypes: arcfour-hmac:normal
+krbSupportedEncSaltTypes: arcfour-hmac:special
 krbSupportedEncSaltTypes: des-hmac-sha1:normal
 krbSupportedEncSaltTypes: des-cbc-md5:normal
 krbSupportedEncSaltTypes: des-cbc-crc:normal
@@ -22,10 +26,8 @@ krbMaxRenewableAge: 604800
 dn: cn=$REALM,cn=kerberos,$SUFFIX
 changetype: modify
 add: krbDefaultEncSaltTypes
-krbDefaultEncSaltTypes: aes256-cts:normal
-krbDefaultEncSaltTypes: aes128-cts:normal
-krbDefaultEncSaltTypes: des3-hmac-sha1:normal
-krbDefaultEncSaltTypes: arcfour-hmac:normal
-krbDefaultEncSaltTypes: des-hmac-sha1:normal
-krbDefaultEncSaltTypes: des-cbc-md5:normal
+krbDefaultEncSaltTypes: aes256-cts:special
+krbDefaultEncSaltTypes: aes128-cts:special
+krbDefaultEncSaltTypes: des3-hmac-sha1:special
+krbDefaultEncSaltTypes: arcfour-hmac:special
 
-- 
1.7.2.3

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] #412 Make always use of special salt type

Reply via email to