[31478] in Kerberos
Re: addprinc -randkey broken in 1.7?
daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Sep 16 16:19:30 2009
From: Russ Allbery <rra@stanford.edu>
To: "Leonard J. Peirce" <leonard.peirce@gmail.com>
In-Reply-To: <e91786ec-138c-4206-9b19-614042fce58c@p9g2000vbl.googlegroups.com>
(Leonard J. Peirce's message of "Wed, 16 Sep 2009 12:33:19 -0700
(PDT)")
Date: Wed, 16 Sep 2009 13:13:13 -0700
Message-ID: <87pr9q8x7q.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
"Leonard J. Peirce" <leonard.peirce@gmail.com> writes:
> When running (in kadmin)
> addprinc -randkey host/host.domain
> I get a complaint about the password not containing enough character
> classes. Did I miss something? Not really a big deal since I can
> just specify a password.
> It used to work in 1.6.
addprinc -randkey hasn't worked for principals that have a password policy
set for somet time for me. The way -randkey works under the hood is that
it adds the principal disabled with a fixed password (which is indeed
pretty bad except that it's very long), then randomizes the key, and then
enables the principal.
This has other strange artifacts (or at least did -- I don't know if
they've been fixed). For example, adding a principal with -randkey and
-disallow_all_tix results in an enabled principal, igoring the
-disallow_all_tix option.
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos