[461] in Kerberos-V5-bugs
Bug in kpasswd
daemon@ATHENA.MIT.EDU (Lee A. Butler)
Fri Apr 15 08:59:39 1994
Date: Fri, 15 Apr 94 6:42:26 EDT
From: "Lee A. Butler" <butler@ARL.MIL>
To: kerberos@MIT.EDU
Cc: krb5-bugs@MIT.EDU
There is a bug in kpasswd/libkrb5.a as it exists in Beta 3 of Kerberos V.
Scenario:
% kpasswd
Old password for principal@REALM: <old-pwd>
Enter new password: <CR>
Re-enter new password for verification: <CR>
Password changed.
%
At this point the principal has a null password which cannot be entered or
changed. It now takes admin priviledges to set a new password for the
principal. The user should not be able to enter/create a non-reproducible or
non-reusable password.
This can be viewed as a flaw in one (or both) of the following:
read_pwd.c: krb5_read_password()
This routine performs the fgets() call and then gleefully replaces
the newline character with a null, thus making (and accepting)
a zero length password.
kpasswd.c:
fails to check to see if the new password has length < 1.
In the case of kpasswd.c, I suggest that it exit early if a 0 length "new
password" is provided.
Lee A. Butler
Attn: AMSRL-SL-BV
U.S. Army Research Laboratory Internet: butler@brl.mil
Aberdeen Proving Ground, MD 21005-5068 Phone: (410) 278-9200
As nightfall does not come at once, neither does oppression.
In both instances, there is a twilight when everything remains seemingly
unchanged. And it is in such twilight that we all must be most aware of
change in the air--however slight--lest we become unwitting victims of
the darkness. --- Justice William O. Douglas
