By using the special salt type and generating a random salt we can rename user's principal name without invalidating their password.
This works only if pre-authentication is required, but that's how we configure our server anyway. This patch does not disallow "normal" salts, but if used they will prevent renames from working correctly. By default special is used. Simo. -- Simo Sorce * Red Hat, Inc * New York
>From 2accddf2bb85ea41e73c2ff48f4c39fc4c6b5e90 Mon Sep 17 00:00:00 2001 From: Simo Sorce <sso...@redhat.com> Date: Wed, 27 Oct 2010 15:05:56 -0400 Subject: [PATCH] pwd-plugin: Always use a special salt by default. This should make renamed users able to keep using old credentials as the salt is not derived from the principal name but is always a random quantity. https://fedorahosted.org/freeipa/ticket/412 --- .../ipa-pwd-extop/ipapwd_encoding.c | 50 +++++++++----------- install/share/default-keytypes.ldif | 14 +++-- 2 files changed, 30 insertions(+), 34 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 462622a518c60574d15399e025d60655ca21c2f0..527e178fe01b9f775fb0522f81eeedfcbde0ee50 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -350,35 +350,29 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg, case KRB5_KDB_SALTTYPE_NORMAL: - /* If pre auth is required we can set a random salt, otherwise - * we have to use a more conservative approach and set the salt - * to be REALMprincipal (the concatenation of REALM and principal - * name without any separator) */ -#if 0 - if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) { - salt.length = KRB5P_SALT_SIZE; - salt.data = malloc(KRB5P_SALT_SIZE); - if (!salt.data) { - LOG_OOM(); - goto enc_error; - } - krberr = krb5_c_random_make_octets(krbctx, &salt); - if (krberr) { - LOG_FATAL("krb5_c_random_make_octets failed [%s]\n", - krb5_get_error_message(krbctx, krberr)); - goto enc_error; - } - } else { -#endif - krberr = krb5_principal2salt(krbctx, princ, &salt); - if (krberr) { - LOG_FATAL("krb5_principal2salt failed [%s]\n", - krb5_get_error_message(krbctx, krberr)); - goto enc_error; - } -#if 0 + krberr = krb5_principal2salt(krbctx, princ, &salt); + if (krberr) { + LOG_FATAL("krb5_principal2salt failed [%s]\n", + krb5_get_error_message(krbctx, krberr)); + goto enc_error; + } + break; + + case KRB5_KDB_SALTTYPE_SPECIAL: + + /* make random salt */ + salt.length = KRB5P_SALT_SIZE; + salt.data = malloc(KRB5P_SALT_SIZE); + if (!salt.data) { + LOG_OOM(); + goto enc_error; + } + krberr = krb5_c_random_make_octets(krbctx, &salt); + if (krberr) { + LOG_FATAL("krb5_c_random_make_octets failed [%s]\n", + krb5_get_error_message(krbctx, krberr)); + goto enc_error; } -#endif break; case KRB5_KDB_SALTTYPE_V4: diff --git a/install/share/default-keytypes.ldif b/install/share/default-keytypes.ldif index 8561b98dcc26bfc71ee6455dec391ee023b10fe7..8093b6989851ad632e4e5954496f5ae8cde10ddd 100644 --- a/install/share/default-keytypes.ldif +++ b/install/share/default-keytypes.ldif @@ -3,9 +3,13 @@ dn: cn=$REALM,cn=kerberos,$SUFFIX changetype: modify add: krbSupportedEncSaltTypes krbSupportedEncSaltTypes: aes256-cts:normal +krbSupportedEncSaltTypes: aes256-cts:special krbSupportedEncSaltTypes: aes128-cts:normal +krbSupportedEncSaltTypes: aes128-cts:special krbSupportedEncSaltTypes: des3-hmac-sha1:normal +krbSupportedEncSaltTypes: des3-hmac-sha1:special krbSupportedEncSaltTypes: arcfour-hmac:normal +krbSupportedEncSaltTypes: arcfour-hmac:special krbSupportedEncSaltTypes: des-hmac-sha1:normal krbSupportedEncSaltTypes: des-cbc-md5:normal krbSupportedEncSaltTypes: des-cbc-crc:normal @@ -22,10 +26,8 @@ krbMaxRenewableAge: 604800 dn: cn=$REALM,cn=kerberos,$SUFFIX changetype: modify add: krbDefaultEncSaltTypes -krbDefaultEncSaltTypes: aes256-cts:normal -krbDefaultEncSaltTypes: aes128-cts:normal -krbDefaultEncSaltTypes: des3-hmac-sha1:normal -krbDefaultEncSaltTypes: arcfour-hmac:normal -krbDefaultEncSaltTypes: des-hmac-sha1:normal -krbDefaultEncSaltTypes: des-cbc-md5:normal +krbDefaultEncSaltTypes: aes256-cts:special +krbDefaultEncSaltTypes: aes128-cts:special +krbDefaultEncSaltTypes: des3-hmac-sha1:special +krbDefaultEncSaltTypes: arcfour-hmac:special -- 1.7.2.3
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel