Bug 819

Summary: patch to add kerberos password-changing
Product: Portable OpenSSH Reporter: Buck Huppmann <buckh>
Component: Kerberos supportAssignee: OpenSSH Bugzilla mailing list <openssh-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P2    
Version: 3.8p1   
Hardware: UltraSPARC   
OS: Solaris   
Attachments:
Description Flags
referenced patch
none
updated patch none

Description Buck Huppmann 2004-03-26 07:51:49 AEDT 
here's a patch that invokes kpasswd in the event the KDC fails to authenticate
a user's kerberos-5 password b/c it's expired: it attempts to get a ticket for
kadmin/changepw and, if that works, dumps the user into kpasswd instead of
passwd

note that i don't consider myself security-cognizant enough to have thought
through all the ramifications of this and whether it might not be opening up
holes. nevertheless, i'm submitting it in case it's not completely demented,
so you all can figure out whether to implement it and, hopefully, code it up
so it doesn't have the bugs my patch undoubtedly does
Comment 1 Buck Huppmann 2004-03-26 07:52:59 AEDT 
Created attachment 576 [details]
referenced patch
Comment 2 Buck Huppmann 2004-03-31 01:09:33 AEST 
Created attachment 581 [details]
updated patch

sorry. slight fix to work with MIT krb5 libraries. of course, MIT's kpasswd
isn't working when it gets exec-ed (i have the same problem as this guy:
http://mailman.mit.edu/pipermail/kerberos/2003-October/003990.html
), but, anyway, . . .
Comment 3 Damien Miller 2015-11-13 14:21:52 AEDT 
This can be done using PAM kbd-int without server modifications. I don't think we want to implement it again in the server.
Comment 4 Damien Miller 2016-08-02 10:41:22 AEST 
Close all resolved bugs after 7.3p1 release