krb5-kdc-ldap plugin crashes krb5-kdc sometimes when password policy is set
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
krb5 (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Binary package hint: krb5-kdc
I have a krb5kdc server running, using openldap as a data store. This works great and, for most clients, it is fine. I have a password policy set as follows:
krbMaxPwdLife: 3628800
krbMinPwdLife: 0
krbPwdMinDiffChars: 1
krbPwdMinLength: 6
krbPwdHistoryLe
krbPwdMaxFailure: 20
krbPwdFailureCo
krbPwdLockoutDu
I have a zimbra server running, configured to use kerberos5 for authentication. This appears to be working. I left a mail client (Thunderbird) running, periodically checking for new messages. After a few hours, krb5kdc crashed. I ran it through strace and found the following:
krb5kdc: ../../../../../ src/plugins/
I took a peek at the code, but the assertion line didn't mean that much to me. It did point me to the krbPwdLockoutDu
Regardless, it shouldn't be possible to crash the KDC and I can now do it very reliably. Any idea what the assertion is checking for and what I can do to prevent this from happening?
ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: krb5-kdc-ldap 1.8.1+dfsg-
ProcVersionSign
Uname: Linux 2.6.32-23-server x86_64
Architecture: amd64
Date: Tue Feb 8 22:53:43 2011
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
ProcEnviron:
PATH=(custom, no user)
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: krb5
Changed in krb5 (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
If this allows an attacker to cause a DoS by crashing the kdc, should I have checked on the "Security issue" checkbox?