pwd-plugin: Always use a special salt by default.

This should make renamed users able to keep using old credentials as the salt is not derived from the principal name but is always a random quantity. https://fedorahosted.org/freeipa/ticket/412
2025-02-25 18:55:28 -06:00 · 2010-10-27 15:05:56 -04:00 · 2010-10-27 15:05:56 -04:00 · 4f8e4482b3
commit 4f8e4482b3
parent 79c39339da
2 changed files with 30 additions and 34 deletions
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c
@ -350,35 +350,29 @@ static Slapi_Value **encrypt_encode_key(struct ipapwd_krbcfg *krbcfg,

        case KRB5_KDB_SALTTYPE_NORMAL:

-            /* If pre auth is required we can set a random salt, otherwise
-             * we have to use a more conservative approach and set the salt
-             * to be REALMprincipal (the concatenation of REALM and principal
-             * name without any separator) */
-#if 0
-            if (krbTicketFlags & KTF_REQUIRES_PRE_AUTH) {
-                salt.length = KRB5P_SALT_SIZE;
-                salt.data = malloc(KRB5P_SALT_SIZE);
-                if (!salt.data) {
-                    LOG_OOM();
-                    goto enc_error;
-                }
-                krberr = krb5_c_random_make_octets(krbctx, &salt);
-                if (krberr) {
-                    LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
-                              krb5_get_error_message(krbctx, krberr));
-                    goto enc_error;
-                }
-            } else {
-#endif
-                krberr = krb5_principal2salt(krbctx, princ, &salt);
-                if (krberr) {
-                    LOG_FATAL("krb5_principal2salt failed [%s]\n",
-                              krb5_get_error_message(krbctx, krberr));
-                    goto enc_error;
-                }
-#if 0
+            krberr = krb5_principal2salt(krbctx, princ, &salt);
+            if (krberr) {
+                LOG_FATAL("krb5_principal2salt failed [%s]\n",
+                          krb5_get_error_message(krbctx, krberr));
+                goto enc_error;
+            }
+            break;
+
+        case KRB5_KDB_SALTTYPE_SPECIAL:
+
+            /* make random salt */
+            salt.length = KRB5P_SALT_SIZE;
+            salt.data = malloc(KRB5P_SALT_SIZE);
+            if (!salt.data) {
+                LOG_OOM();
+                goto enc_error;
+            }
+            krberr = krb5_c_random_make_octets(krbctx, &salt);
+            if (krberr) {
+                LOG_FATAL("krb5_c_random_make_octets failed [%s]\n",
+                          krb5_get_error_message(krbctx, krberr));
+                goto enc_error;
            }
-#endif
            break;

        case KRB5_KDB_SALTTYPE_V4:
--- a/install/share/default-keytypes.ldif
+++ b/install/share/default-keytypes.ldif
@ -3,9 +3,13 @@ dn: cn=$REALM,cn=kerberos,$SUFFIX
 changetype: modify
 add: krbSupportedEncSaltTypes
 krbSupportedEncSaltTypes: aes256-cts:normal
+krbSupportedEncSaltTypes: aes256-cts:special
 krbSupportedEncSaltTypes: aes128-cts:normal
+krbSupportedEncSaltTypes: aes128-cts:special
 krbSupportedEncSaltTypes: des3-hmac-sha1:normal
+krbSupportedEncSaltTypes: des3-hmac-sha1:special
 krbSupportedEncSaltTypes: arcfour-hmac:normal
+krbSupportedEncSaltTypes: arcfour-hmac:special
 krbSupportedEncSaltTypes: des-hmac-sha1:normal
 krbSupportedEncSaltTypes: des-cbc-md5:normal
 krbSupportedEncSaltTypes: des-cbc-crc:normal
@ -22,10 +26,8 @@ krbMaxRenewableAge: 604800
 dn: cn=$REALM,cn=kerberos,$SUFFIX
 changetype: modify
 add: krbDefaultEncSaltTypes
-krbDefaultEncSaltTypes: aes256-cts:normal
-krbDefaultEncSaltTypes: aes128-cts:normal
-krbDefaultEncSaltTypes: des3-hmac-sha1:normal
-krbDefaultEncSaltTypes: arcfour-hmac:normal
-krbDefaultEncSaltTypes: des-hmac-sha1:normal
-krbDefaultEncSaltTypes: des-cbc-md5:normal
+krbDefaultEncSaltTypes: aes256-cts:special
+krbDefaultEncSaltTypes: aes128-cts:special
+krbDefaultEncSaltTypes: des3-hmac-sha1:special
+krbDefaultEncSaltTypes: arcfour-hmac:special