From 83def5bc18251f474ea09f1f49e4c0a207c85458 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Thu, 27 Dec 2018 16:27:16 +1100 Subject: [PATCH] kadmin: do not assign passwords at realm initialization Since c6bf100b password quality checks have been moved out of kadmindd and into libkadm5. This means that all password changes are subject to quality checks, if enforce_on_admin_set is true (the default). In rare instances it could be possible for realm initialization to fail because the randomly generated passwords do not pass the password quality test. Fix this by creating principals with no password or key, rather than with a random password. Random *keys* continue to be set immediately after the principal is created, and before DISALLOW_ALL_TIX is unset, so there should be no functionality or security implications from this change. It is safe to call a server-side API such as kadm5_s_create_principal_with_key() as local_flag is asserted to be true. --- kadmin/init.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/kadmin/init.c b/kadmin/init.c index 20ed93216..47201424e 100644 --- a/kadmin/init.c +++ b/kadmin/init.c @@ -52,11 +52,6 @@ create_random_entry(krb5_principal princ, krb5_keyblock *keys; int n_keys, i; char *name; - const char *password; - char pwbuf[512]; - - random_password(pwbuf, sizeof(pwbuf)); - password = pwbuf; ret = krb5_unparse_name(context, princ, &name); if (ret) { @@ -76,14 +71,14 @@ create_random_entry(krb5_principal princ, mask |= KADM5_MAX_RLIFE; } ent.attributes |= attributes | KRB5_KDB_DISALLOW_ALL_TIX; - mask |= KADM5_ATTRIBUTES; + mask |= KADM5_ATTRIBUTES | KADM5_KEY_DATA; - /* Create the entry with a random password */ - ret = kadm5_create_principal(kadm_handle, &ent, mask, password); + /* Create the entry with no keys or password */ + ret = kadm5_s_create_principal_with_key(kadm_handle, &ent, mask); if(ret) { if (ret == KADM5_DUP && (flags & CRE_DUP_OK)) goto out; - krb5_warn(context, ret, "create_random_entry(%s): randkey failed", + krb5_warn(context, ret, "create_random_entry(%s): create failed", name); goto out; }