[31480] in Kerberos
Re: addprinc -randkey broken in 1.7?
daemon@ATHENA.MIT.EDU (Mike Friedman)
Wed Sep 16 18:40:26 2009
X-Barracuda-Envelope-From: mikef@berkeley.edu
Date: Wed, 16 Sep 2009 15:39:37 -0700 (PDT)
From: Mike Friedman <mikef@berkeley.edu>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87pr9q8x7q.fsf@windlord.stanford.edu>
Message-ID: <alpine.BSF.1.10.0909161534150.15429@brillig.security.berkeley.edu>
MIME-Version: 1.0
Cc: "Leonard J. Peirce" <leonard.peirce@gmail.com>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Wed, 16 Sep 2009 at 13:13 (-0700), Russ Allbery wrote:
> "Leonard J. Peirce" <leonard.peirce@gmail.com> writes:
>
>> When running (in kadmin)
>
>> addprinc -randkey host/host.domain
>
>> I get a complaint about the password not containing enough character
>> classes. Did I miss something? Not really a big deal since I can just
>> specify a password.
>
>> It used to work in 1.6.
>
> addprinc -randkey hasn't worked for principals that have a password
> policy set for somet time for me. The way -randkey works under the hood
> is that it adds the principal disabled with a fixed password (which is
> indeed pretty bad except that it's very long), then randomizes the key,
> and then enables the principal.
Russ,
I'm running 1.6.3 and don't have this problem. In fact, looking at the
code in src/kadmin/cli/kadmin.c, it appears that when '-randkey' is used
for addprinc, the password is set initially to a 256 character string
containing all possible character values from 1 thru 255 plus a
terminating 0 (and then randomized in a separate step). This, I would
think, should satisfy any password policy.
OK, so maybe I'm misinterpreting the code. But the fact is that I add
host principals with -randkey all the time with no problem. I've been
doing this for several releases up to and including our current 1.6.3.
We may go to 1.7 soon, so possibly something's changed there, but in the
meantime, could someone clarify all this?
Thanks.
_________________________________________________________________________
Mike Friedman Information Services & Technology
mikef@berkeley.edu 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://mikef.berkeley.edu http://ist.berkeley.edu
_________________________________________________________________________
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkqxaSkACgkQFgKSfLOvZ1R4AQCfXFXtJkRSnWJ674knaWY9lwep
v4QAnjeWdiKCZmF3U84Jvc5hcQpLU2px
=FcNU
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
