pwd-plugin: Always use a special salt by default.

This should make renamed users able to keep using old credentials as the salt is not derived from the principal name but is always a random quantity. https://fedorahosted.org/freeipa/ticket/412
2025-02-25 18:55:28 -06:00 · 2010-10-27 15:05:56 -04:00
parent 79c39339da
commit 4f8e4482b3
2 changed files with 30 additions and 34 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@@ -350,35 +350,29 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,
        case KRB5_KDB_SALTTYPE_NORMAL:
-            /* If pre auth is required we can set a random salt, otherwise
+            krberr = krb5_principal2salt(krbctx, princ, &salt);
-             * we have to use a more conservative approach and set the salt
+            if (krberr) {
-             * to be REALMprincipal (the concatenation of REALM and principal
+                LOG_FATAL("krb5_principal2salt failed [%s]\n",
-             * name without any separator) */
+                          krb5_get_error_message(krbctx, krberr));
-#if 0
+                goto enc_error;
-            if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) {
+            }
-                salt.length = KRB5P_SALT_SIZE;
+            break;
-                salt.data = malloc(KRB5P_SALT_SIZE);
+
-                if (!salt.data) {
+        case KRB5_KDB_SALTTYPE_SPECIAL:
-                    LOG_OOM();
+
-                    goto enc_error;
+            /* make random salt */
-                }
+            salt.length = KRB5P_SALT_SIZE;
-                krberr = krb5_c_random_make_octets(krbctx, &salt);
+            salt.data = malloc(KRB5P_SALT_SIZE);
-                if (krberr) {
+            if (!salt.data) {
-                    LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
+                LOG_OOM();
-                              krb5_get_error_message(krbctx, krberr));
+                goto enc_error;
-                    goto enc_error;
+            }
-                }
+            krberr = krb5_c_random_make_octets(krbctx, &salt);
-            } else {
+            if (krberr) {
-#endif
+                LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
-                krberr = krb5_principal2salt(krbctx, princ, &salt);
+                          krb5_get_error_message(krbctx, krberr));
-                if (krberr) {
+                goto enc_error;
                    LOG_FATAL("krb5_principal2salt failed [%s]\n",
                              krb5_get_error_message(krbctx, krberr));
                    goto enc_error;
                }
 #if 0
            }
 #endif
            break;
        case KRB5_KDB_SALTTYPE_V4:
--- a/install/share/default-keytypes.ldif
+++ b/install/share/default-keytypes.ldif
@@ -3,9 +3,13 @@ dn: cn=$REALM,cn=kerberos,$SUFFIX
 changetype: modify
 add: krbSupportedEncSaltTypes
 krbSupportedEncSaltTypes: aes256-cts:normal
 krbSupportedEncSaltTypes: aes256-cts:special
 krbSupportedEncSaltTypes: aes128-cts:normal
 krbSupportedEncSaltTypes: aes128-cts:special
 krbSupportedEncSaltTypes: des3-hmac-sha1:normal
 krbSupportedEncSaltTypes: des3-hmac-sha1:special
 krbSupportedEncSaltTypes: arcfour-hmac:normal
 krbSupportedEncSaltTypes: arcfour-hmac:special
 krbSupportedEncSaltTypes: des-hmac-sha1:normal
 krbSupportedEncSaltTypes: des-cbc-md5:normal
 krbSupportedEncSaltTypes: des-cbc-crc:normal
@@ -22,10 +26,8 @@ krbMaxRenewableAge: 604800
 dn: cn=$REALM,cn=kerberos,$SUFFIX
 changetype: modify
 add: krbDefaultEncSaltTypes
-krbDefaultEncSaltTypes: aes256-cts:normal
+krbDefaultEncSaltTypes: aes256-cts:special
-krbDefaultEncSaltTypes: aes128-cts:normal
+krbDefaultEncSaltTypes: aes128-cts:special
-krbDefaultEncSaltTypes: des3-hmac-sha1:normal
+krbDefaultEncSaltTypes: des3-hmac-sha1:special
-krbDefaultEncSaltTypes: arcfour-hmac:normal
+krbDefaultEncSaltTypes: arcfour-hmac:special
 krbDefaultEncSaltTypes: des-hmac-sha1:normal
 krbDefaultEncSaltTypes: des-cbc-md5:normal