[19840] in Kerberos_V5_Development
Re: Is there a valid case for an empty password?
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Fri Oct 12 13:06:18 2018
From: Robbie Harwood <rharwood@redhat.com>
To: Greg Hudson <ghudson@mit.edu>, Weijun Wang <weijun.wang@oracle.com>,
"krbdev\@mit.edu" <krbdev@mit.edu>
In-Reply-To: <b66b63c4-3367-b4ee-1c32-a5b83fa44bc2@mit.edu>
Date: Fri, 12 Oct 2018 13:05:56 -0400
Message-ID: <jlgin27hz7v.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3516062007959645010=="
Errors-To: krbdev-bounces@mit.edu
--===============3516062007959645010==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
Greg Hudson <ghudson@mit.edu> writes:
> On 10/11/2018 11:19 PM, Weijun Wang wrote:
>
>> We are planning to disallow empty passwords for PBKDF2 in
>> JDK. However, some years ago I did receive a bug report to support
>> empty passwords on Windows 200x. Is it really a valid password?
>
> RFC 3961 says (about string-to-key) "all valid UTF-8 strings should be
> allowed" and doesn't say anything about a minimum length.
>
> MIT krb5 had a bug where empty passwords wouldn't work via the API
> (but would work via the prompter). We fixed it in 1.12:
>
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=7642
>
> The fix was prompted by Fedora bug reports such as:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=960001
>
> Of course there is basically no security value to a key derived from
> an empty password. But I guess there have been some use cases anyway.
That bug was for a contrived test, so it's not much of a use case on its
own. In practice IPA will prohibit empty strings (and other weaker
passwords) in policy so I don't think we're particularly concerned about
having it work.
That said, I think your reading of 3961 is correct.
Thanks,
--Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAlvA1HQACgkQJTL5F2qV
pEIoxw//RsPhf9T6DLNFLLr7F/muezlieYqGUieUP0IU3shMG/msUlZh+Zv+gDCY
/myooyhOf4J6WsXwwk3sw94GIwipz0DD58WU+9nsw+As7j+QjhhCVc8HP5aGIcBH
v09/DCXznw17mufGzkdxLupZic4CdpXbZGe8/KtSuLkmHHdfdRxlKoXTTBcjsEkx
ec6V32Klkhy3bzylpqszIAOCaqtkdOILGDrB7tCDlWuTnuqIVL37FdeYRaushOjw
wawd7O27G3zRXJAy7QNjidwrr1I8mRmtL/TXf9sDeiN8YQ4Zj36RnPLjr/PONkAJ
76dIiA9yH6KbQBRoWgacCNsV/sf8tg7nGoEnNU/kpgCzY/Yn9Z/vSNdrN9dE0le+
Tpvndhnx+zaIhEwEAKNsUfYLast5EcUP6q1hh74GKcbJOIFv7DDre2fV3/rSTDPP
C9KFeMPQ2ljzmMba7x1Ha8xX5lHnVokN2PqycvNpq1FcZQSduowZMhADSb7K7GEA
1OpkSKIz+GHS7GknQHq9X8nwCAsjQlT1AWD4OwaoA0D+4qeSCjKpLAhlhdvWAzSC
MXnzSqudPhZNs+/YxQNu6nw8nxQHZ3tp7uw+4R3XmIFk8BZsH3tG6GaWOJUW7Mj5
smqHJ1fgqAH759ed8HbubaKZmsvl/S0OFXx3CM9HeSL5IiMG8wQ=
=K66P
-----END PGP SIGNATURE-----
--=-=-=--
--===============3516062007959645010==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--===============3516062007959645010==--
