RT RT/krbdev.mit.edu: Ticket #914 keytab add without randomizing key Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
914
Status
resolved
Worked
0 min
Priority
50/
Queue
krb5
 

 Keyword Selections  
Component
  • krb5-admin
Version_reported
  • 1.2.1
Version_Fixed
  • 1.7
Target_Version
  • next
Tags
  • enhancement
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
 
 Dates  
Created: Tue Jan 9 18:03:00 2001
Starts: Not set
Started: Mon Apr 16 17:35:07 2007
Last Contact: Mon Apr 16 18:04:02 2007
Due: Not set
Updated: Fri Jan 30 23:08:17 2009 by tlyu
 

 People  
Owner
 rra
Requestors
 djm@web.us.uu.net
Cc
 
AdminCc
 
 

 More about djm@web.us.uu.net  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Aug 19 14:17:12 2002  RT_System - Default: Import/ changed from to    
     
From djm@web.us.uu.net  Tue Jan  9 18:02:57 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
	by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id SAA18528
	for <bugs@RT-11.MIT.EDU>; Tue, 9 Jan 2001 18:02:56 -0500 (EST)
Received: from jenkins.web.us.uu.net (jenkins.web.us.uu.net [208.240.88.32])
	by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id SAA02426
	for <krb5-bugs@mit.edu>; Tue, 9 Jan 2001 18:02:56 -0500 (EST)
Received: from dagger.web.us.uu.net (dagger.web.us.uu.net [208.211.134.28])
	by jenkins.web.us.uu.net (Postfix) with ESMTP id 8ACB612685
	for <krb5-bugs@mit.edu>; Tue,  9 Jan 2001 18:02:55 -0500 (EST)
Received: by dagger.web.us.uu.net (Postfix, from userid 515)
	id C5DF046C3; Tue,  9 Jan 2001 18:02:54 -0500 (EST)
Message-Id: <20010109230254.C5DF046C3@dagger.web.us.uu.net>
Date: Tue,  9 Jan 2001 18:02:54 -0500 (EST)
From: djm@web.us.uu.net
Reply-To: djm@web.us.uu.net
To: krb5-bugs@mit.edu
Subject: keytab add without randomizing key
X-Send-Pr-Version: 3.99

>Number:         914
>Category:       krb5-admin
>Synopsis:       keytab add without randomizing key
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          change-request
>Submitter-Id:   unknown
>Arrival-Date:   Tue Jan  9 18:03:00 EST 2001
>Last-Modified:
>Originator:     David MacKenzie
>Organization:
UUNET Technologies
>Release:        krb5-1.2.1
>Environment:

System: Linux dagger.web.us.uu.net 2.2.14-15mdk #2 Sat Mar 11 19:32:26 EST 2000 i686
unknown
Architecture: i686

>Description:
We have a user who needs to both login normally and rcp data with a keytab from
a cron job.  Under krb4, this was possible because ext_srvtab doesn't change
the keys, but the krb5 kadmin ktadd command randomizes the keys.
The rationale given in the Kerberos FAQ for not having this ability is
that a compromised admin account could read out all of the keys in the KDC.
But if you restrict this function to kadmin.local, you have to be root on
the KDC anyway to use it, so there's no significant added risk.

>How-To-Repeat:
Use kadmin ktadd to create a keytab.  That principal can no longer be used
to login interactively with kinit or login.

>Fix:

Here is a patch for 1.2.1 that adds the missing capability securely:

Index: src/kadmin/cli/Makefile.in
===================================================================
RCS file: /export/src/CVS/usr.local/krb5-1.2/src/kadmin/cli/Makefile.in,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 Makefile.in
--- src/kadmin/cli/Makefile.in	2000/06/30 21:57:16	1.1.1.1
+++ src/kadmin/cli/Makefile.in	2000/12/22 18:04:08
@@ -6,18 +6,23 @@
 PROG_RPATH=$(KRB5_LIBDIR)

 PROG = kadmin
-OBJS = kadmin.o kadmin_ct.o ss_wrapper.o getdate.o keytab.o
+COMMON_OBJS = kadmin.o kadmin_ct.o ss_wrapper.o getdate.o
+KADMIN_OBJS = ${COMMON_OBJS} keytab.o
+KADMIN_LOCAL_OBJS = ${COMMON_OBJS} keytab_local.o

 all:: $(PROG).local $(PROG)

-$(PROG).local: $(OBJS) $(SS_DEPLIB) $(KADMSRV_DEPLIBS) $(KRB5_BASE_DEPLIBS)
-	$(CC_LINK) -o $(PROG).local $(OBJS) $(SS_LIB) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS)
+$(PROG).local: $(KADMIN_LOCAL_OBJS) $(SS_DEPLIB) $(KADMSRV_DEPLIBS)
$(KRB5_BASE_DEPLIBS)
+	$(CC_LINK) -o $(PROG).local $(KADMIN_LOCAL_OBJS) $(SS_LIB) $(KADMSRV_LIBS)
$(KRB5_BASE_LIBS)

-$(PROG): $(OBJS) $(SS_DEPLIB) $(KADMCLNT_DEPLIBS) $(KRB5_BASE_DEPLIBS)
-	$(CC_LINK) -o $(PROG) $(OBJS) $(SS_LIB) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS)
+$(PROG): $(KADMIN_OBJS) $(SS_DEPLIB) $(KADMCLNT_DEPLIBS) $(KRB5_BASE_DEPLIBS)
+	$(CC_LINK) -o $(PROG) $(KADMIN_OBJS) $(SS_LIB) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS)

 kadmin_ct.o: kadmin_ct.c

+keytab_local.o: keytab.c
+	$(CC) -c -o keytab_local.o $(ALL_CFLAGS) -DKADMIN_LOCAL ${srcdir}/keytab.c
+
 install::
 	$(INSTALL_PROGRAM) $(PROG).local ${DESTDIR}$(ADMIN_BINDIR)/$(PROG).local
 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
@@ -25,7 +30,7 @@
 	$(INSTALL_DATA) $(srcdir)/$(PROG).local.M ${DESTDIR}$(ADMIN_MANDIR)/$(PROG).local.8

 clean::
-	$(RM) $(PROG).local $(PROG) $(OBJS)
+	$(RM) $(PROG).local $(PROG) $(KADMIN_OBJS) $(KADMIN_LOCAL_OBJS)
 clean-unix::
 	$(RM) getdate.c kadmin_ct.c

Index: src/kadmin/cli/kadmin.M
===================================================================
RCS file: /export/src/CVS/usr.local/krb5-1.2/src/kadmin/cli/kadmin.M,v
retrieving revision 1.2
diff -u -r1.2 kadmin.M
--- src/kadmin/cli/kadmin.M	2000/07/31 14:11:17	1.2
+++ src/kadmin/cli/kadmin.M	2000/12/22 18:04:08
@@ -684,11 +684,29 @@
 .TP
 \fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fB\-e\fP \fIkeysaltlist\fP]
 .br
-[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
+[\fB\-norandkey\fP] [[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
 .br
 Adds a principal or all principals matching
 .I princ-exp
-to a keytab, randomizing each principal's key in the process.  Requires the
+to a keytab.
+It randomizes each principal's key in the process, to prevent a
+compromised admin account from reading out all of the keys from the
+database.  However,
+.B kadmin.local
+has the
+.B \-norandkey
+option, which leaves the keys and their version numbers unchanged,
+similar to the Kerberos V4
+.B ext_srvtab
+command.
+That allows users to continue to use the passwords they know
+to login normally, while simultaneously allowing scripts
+to login to the same account using a keytab.
+There is no significant security risk added since
+.B kadmin.local
+must be run by root on the KDC anyway.
+.sp
+Requires the
 .I inquire
 and
 .I changepw
Index: src/kadmin/cli/keytab.c
===================================================================
RCS file: /export/src/CVS/usr.local/krb5-1.2/src/kadmin/cli/keytab.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 keytab.c
--- src/kadmin/cli/keytab.c	2000/06/30 21:57:17	1.1.1.1
+++ src/kadmin/cli/keytab.c	2000/12/22 18:04:09
@@ -56,10 +56,17 @@
 extern krb5_context context;
 extern void *handle;
 static int quiet;
+#ifdef KADMIN_LOCAL
+static int norandkey;
+#endif

 void add_usage()
 {
+#ifdef KADMIN_LOCAL
+     fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-
norandkey] [principal | -glob princ-exp] [...]\n");
+#else
      fprintf(stderr, "Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist]
[principal | -glob princ-exp] [...]\n");
+#endif
 }

 void rem_usage()
@@ -127,6 +134,9 @@

      argc--; argv++;
      quiet = 0;
+#ifdef KADMIN_LOCAL
+     norandkey = 0;
+#endif
      while (argc) {
 	  if (strncmp(*argv, "-k", 2) == 0) {
 	       argc--; argv++;
@@ -137,6 +147,10 @@
 	       keytab_str = *argv;
 	  } else if (strcmp(*argv, "-q") == 0) {
 	       quiet++;
+#ifdef KADMIN_LOCAL
+	  } else if (strcmp(*argv, "-norandkey") == 0) {
+	       norandkey++;
+#endif
 	  } else if (strcmp(*argv, "-e") == 0) {
 	       argc--;
 	       if (argc < 1) {
@@ -160,6 +174,12 @@
 	  add_usage();
 	  return;
      }
+#ifdef KADMIN_LOCAL
+     if (norandkey && ks_tuple) {
+       fprintf(stderr, "cannot specify keysaltlist when not changing key\n");
+       return;
+     }
+#endif

      if (process_keytab(context, &keytab_str, &keytab))
 	  return;
@@ -245,7 +265,7 @@
      krb5_principal princ;
      krb5_keytab_entry new_entry;
      krb5_keyblock *keys;
-     int code, code2, mask, nkeys, i;
+     int code, nkeys, i;

      (void) memset((char *)&princ_rec, 0, sizeof(princ_rec));

@@ -260,6 +280,11 @@
 	  goto cleanup;
      }

+#ifdef KADMIN_LOCAL
+     if (norandkey)
+       code = kadm5_get_principal_keys(handle, princ, &keys, &nkeys);
+     else
+#endif
      if (keepold || ks_tuple != NULL) {
 	 code = kadm5_randkey_principal_3(handle, princ,
 					  keepold, n_ks_tuple, ks_tuple,
Index: src/lib/kadm5/admin.h
===================================================================
RCS file: /export/src/CVS/usr.local/krb5-1.2/src/lib/kadm5/admin.h,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 admin.h
--- src/lib/kadm5/admin.h	2000/06/30 21:57:19	1.1.1.1
+++ src/lib/kadm5/admin.h	2000/12/22 18:04:10
@@ -381,6 +381,13 @@
 kadm5_ret_t    kadm5_create_policy_internal(void *server_handle,
 					    kadm5_policy_ent_t
 					    entry, long mask);
+/*
+ * Similar for kadm5_get_principal_keys.
+ */
+kadm5_ret_t    kadm5_get_principal_keys(void *server_handle,
+					krb5_principal principal,
+					krb5_keyblock **keyblocks,
+					int *n_keys);
 kadm5_ret_t    kadm5_delete_policy(void *server_handle,
 				   kadm5_policy_t policy);
 kadm5_ret_t    kadm5_modify_policy(void *server_handle,
Index: src/lib/kadm5/srv/svr_principal.c
===================================================================
RCS file: /export/src/CVS/usr.local/krb5-1.2/src/lib/kadm5/srv/svr_principal.c,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 svr_principal.c
--- src/lib/kadm5/srv/svr_principal.c	2000/06/30 21:57:20	1.1.1.1
+++ src/lib/kadm5/srv/svr_principal.c	2000/12/22 18:04:10
@@ -1609,6 +1609,60 @@
 }

 /*
+ * Return the list of keys like kadm5_randkey_principal,
+ * but don't modify the principal.
+ */
+kadm5_ret_t
+kadm5_get_principal_keys(void *server_handle /* IN */,
+			 krb5_principal principal /* IN */,
+			 krb5_keyblock **keyblocks /* OUT */,
+			 int *n_keys /* OUT */)
+{
+    krb5_db_entry		kdb;
+    osa_princ_ent_rec		adb;
+    krb5_key_data		*key_data;
+    kadm5_ret_t			ret;
+    kadm5_server_handle_t	handle = server_handle;
+
+    if (keyblocks)
+	 *keyblocks = NULL;
+
+    CHECK_HANDLE(server_handle);
+
+    if (principal == NULL)
+	return EINVAL;
+
+    if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
+       return(ret);
+
+    if (keyblocks) {
+	 if (handle->api_version == KADM5_API_VERSION_1) {
+	      /* Version 1 clients will expect to see a DES_CRC enctype. */
+	      if ((ret = krb5_dbe_find_enctype(handle->context, &kdb,
+					      ENCTYPE_DES_CBC_CRC,
+					      -1, -1, &key_data)))
+		   goto done;
+
+	      if ((ret = decrypt_key_data(handle->context, 1, key_data,
+					 keyblocks, NULL)))
+		   goto done;
+	 } else {
+	      ret = decrypt_key_data(handle->context,
+				     kdb.n_key_data, kdb.key_data,
+				     keyblocks, n_keys);
+	      if (ret)
+		   goto done;
+	 }
+    }
+
+    ret = KADM5_OK;
+done:
+    kdb_free_entry(handle, &kdb, &adb);
+
+    return ret;
+}
+
+/*
  * Allocate an array of n_key_data krb5_keyblocks, fill in each
  * element with the results of decrypting the nth key in key_data with
  * master_keyblock, and if n_keys is not NULL fill it in with the
>Audit-Trail:
>Unformatted:


Download (untitled) 10.2k
      Mon Aug 19 14:17:12 2002  RT_System - Tags enhancement added    
      Mon Aug 19 14:17:12 2002  RT_System - Component krb5-admin added    
      Mon Aug 19 14:17:12 2002  RT_System - Version_reported 1.2.1 added    
      Tue Feb  6 19:44:21 2007  tlyu - Subject changed from keytab add without randomizing key to keytab add without randomizing key    
      Tue Feb  6 19:44:22 2007  tlyu - Target_Version next added    
      Mon Apr 16 17:35:07 2007  rra - Given to rra    
      Mon Apr 16 17:35:07 2007  rra - Status changed from new to resolved    
      Mon Apr 16 17:35:07 2007  rra - Correspondence added    
     
From: Russ Allbery <rra@stanford.edu>
Subject: SVN Commit

Add support for extracting existing keys from the KDC with kadmin.local.
Adds a -norandkey option to the ktadd command only in kadmin.local, and
adds a new function to the libkadm5srv library that kadmin.local can
call.  There is no protocol or network access to this function.

Commit By: rra



Revision: 19474
Changed Files:
U   trunk/src/kadmin/cli/kadmin.M
U   trunk/src/kadmin/cli/keytab.c
U   trunk/src/lib/kadm5/admin.h
U   trunk/src/lib/kadm5/srv/svr_principal.c


Download (untitled) 472b
      Mon Apr 16 18:03:59 2007  rra - Correspondence added    
     
From: Russ Allbery <rra@stanford.edu>
Subject: SVN Commit

Add the new kadm5srv function krb5_get_principal_keys to the export list.

Build a separate copy of kadmin/cli/keytab.c for kadmin.local that exposes
the -norandkey flag in a way that doesn't require the compiler support -c
and -o at the same time.

Commit By: rra



Revision: 19475
Changed Files:
U   trunk/src/kadmin/cli/Makefile.in
A   trunk/src/kadmin/cli/keytab_local.c
U   trunk/src/lib/kadm5/srv/libkadm5srv.exports


Download (untitled) 424b
      Fri Jan 30 23:08:17 2009  tlyu - Version_Fixed 1.7 added