RT/krbdev.mit.edu: Ticket #4950 gc_frm_kdc doesn't adjust use_conf

RT/krbdev.mit.edu: Ticket #4950 gc_frm_kdc doesn't adjust use_conf_ktypes in referrals case

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
4950

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component	krb5-libs
Version_reported	1.6
Version_Fixed	1.6.3
Target_Version	1.6.3
Tags	pullup

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

2652: (amb) Add support for referrals [resolved]

Referred to by:

Dates

Created:	Wed Nov 29 11:18:26 2006
Starts:	Not set
Started:	Mon May 14 18:58:51 2007
Last Contact:	Not set
Due:	Not set
Updated:	Fri Aug 3 20:30:56 2007 by tlyu

People

Owner
tlyu
Requestors
hartmans@mit.edu, tlyu@mit.edu
Cc

AdminCc

More about Sam Hartman

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

1219: mechanism to delete old keys should exist (new)
1220: automatically updating tgt keys desired (new)
1221: password history should use master key (new)
1231: kdc/kdc_util.c: add_to_transited_encoding fails to support null fields (new)
1272: ktutil addent is not documented (new)
1273: kadmin should gain option to remove old keys from keytab (new)
1274: kadmin should not authenticate simply to run the ktrem command (new)
1340: capaths documentation insufficient (open)
1341: krb5.conf and kdc.conf should be merged (new)
1366: src/lib/gssapi/krb5/add_cred.c could benefit from goto (new)
1407: KDC should not check transited policy on intermediat tgts (new)
1445: GSSAPI can fail to generate error in GSS_C_NO_CREDENTIAL case (new)
1505: use_master loop seems at wrong abstraction (new)
1507: Convert principal name accessors to functions (new)
1516: reject_bad_transit not handled through definitions.texinfo (new)
1539: tests should test getting renewable tickets (new)
1671: no locking used when reading/writing replay cache? (new)
2078: [Ray Schneider] ksu man page nit (new)
2110: MIT KDC fails to handle unknown padata (open)
2497: krb5_fcc_generate_new should use mkstemp (open)
2555: kadmind uses channel bindings (new)
2602: Don't reject renewable of non-renewable tickets (new)
2620: Don't expire contexts when tickets expire (new)
2696: Nullsoft Installer does not preserve configuration settings (open)
2794: Implement krb5_c_prf and GSSAPI prf (new)

More about Tom Yu

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

6204: meta-ticket for tracking Apple patches (open)
1149: KDC client lockout for DISALLOW_ALL_TIX or expiration (new)
1247: rpc unit tests need real synchronization (open)
1348: sketchy uses of longjmp in util/ss/listen.c (new)
1479: kdc.conf should allow KDC directory re-homing (new)
1685: consider calling remove_error_table() in krb5_free_context() (new)
2644: fakeka.c should use life_to_time/time_to_life (new)
2934: document shared lib build requirements (new)
2937: GSSAPI authorization data export (open)
2938: support 64-bit Windows (open)
3775: krb5_gss_accept_sec_context should handle inconsistent mutual auth requests (open)
4740: cccursor backend for MSLSA (new)
5531: SPNEGO acc_ctx_call_acc should only call gssint_get_mech_type for 1st token (new)
5627: handle off-path TGT referrals in krb5_get_cred_from_kdc() [rdar 3679887] (open)
6034: rework gic_opt_ext to be more portable (open)
6205: IP_RECVDSTADDR support for kpasswd server (open)
6212: Apple patch for Common Crypto (new)
6213: Apple patch to use pidfile (FreeBSD) for daemons (new)
6228: Apple patch: KDC notify password server (new)
6229: Apple-specific manpage pathname fixes (new)
6230: Apple Seatbelt support for kadmind and KDC (new)
6232: Apple manpage fix to delete reference to Kerberos.app (new)
6233: Apple patch to instal newsyslog config (new)
6234: Apple config file support for password server (new)
6235: install target for KerberosLite (new)

History

Display mode: [Brief headers] [Full headers]

Wed Nov 29 11:18:28 2006	tlyu - Ticket created
Subject: gc_frm_kdc doesn't adjust use_conf_ktypes in referrals case If krb5_get_creds_from_kdc_opt() gets the final service ticket during referrals processing, it does so with use_conf_ktypes = 1. This may be undesirable, as the application may have requested to override the config file enctypes. The problem is that the referrals code should set use_conf_ktypes = 1 when getting TGTs. There may need to be an explicit check to see if the returned service ticket contains enctypes not requested by the application, and if so, to repeat the request with use_conf_ktypes = 0.		Download (untitled) 514b
Wed Nov 29 11:18:45 2006	tlyu - Ticket 4950 RefersTo ticket 2652.
Fri Jan 12 17:45:19 2007	tlyu - Target_Version 1.6 changed to 1.7
Sun Apr 29 13:36:11 2007	hartmans - Ticket 5550: Ticket created
From: Sam Hartman <hartmans@MIT.EDU> To: krb5-bugs@MIT.EDU Subject: krb5_set_default_tgs_enctypes does not work in Kerberos 1.6 Date: Sun, 29 Apr 2007 13:35:57 -0400 gss_set_allowable_enctypes eventually ends up causing krb5_set_default_tgs_enctypes to be called on a krb5_context. We've been seeing a problem on Debian for 1.6 and 1.6.1 where the NFS rpc.gssd ends up with an aes context even though it only supports a des context and requests same by calling gss_set_allowable_enctypes. I walked through this in gdb and found that while tgs_ktypes is getting set in the context passed into krb5_get_credentials it is not being respected. The credentials coming back from krb5_get_credentials are (in my case) aes. The request to the KDC includes all the enctypes. I suspect the referrals code interacts badly with use_conf_ktypes or something like that. I actually don't see how referrals could work well with use_conf_ktypes because I think they have conflicting requirements. Before fixing this bug it is important to first understand what is going on and second have a discussion on krbdev about what should happen instead. I don't think this will be a simple fix. --Sam		Download (untitled) 1022b
Sun Apr 29 13:42:14 2007	hartmans - Ticket 5550: Target_Version 1.6.2 added
Sun Apr 29 21:22:27 2007	tlyu - Ticket 5550: Correspondence added
To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6 From: Tom Yu <tlyu@MIT.EDU> Date: Sun, 29 Apr 2007 21:22:17 -0400 RT-Send-Cc: This looks like a duplicate of ticket #4950. I think what we want to do is if we get a final ticket via referrals with an enctype not in the restricted application-requested set, retry with use_conf_ktypes=old_use_conf_ktypes.		Download (untitled) 228b
Mon Apr 30 04:07:32 2007	hartmans - Ticket 5550: Correspondence added
From: Sam Hartman <hartmans@mit.edu> To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6 Date: Mon, 30 Apr 2007 04:07:27 -0400 RT-Send-Cc: You need to somehow order the enctypes though so that enctypes that end up in the restricted application set come first (and in their order) when using conf_ktypes. If you do that, this sounds reasonable.		Download (untitled) 207b
Mon Apr 30 12:29:32 2007	tlyu - Ticket 5550: Correspondence added
To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6 From: Tom Yu <tlyu@MIT.EDU> Date: Mon, 30 Apr 2007 12:29:22 -0400 RT-Send-Cc: >>>>> "Sam" == Sam Hartman via RT <rt-comment@krbdev.mit.edu> writes: Sam> You need to somehow order the enctypes though so that enctypes that Sam> end up in the restricted application set come first (and in their Sam> order) when using conf_ktypes. Sam> If you do that, this sounds reasonable. Are you suggesting this as an alternative to repeating the request for the final ticket using conf_ktypes=0?		Download (untitled) 407b
Tue May 1 12:17:20 2007	hartmans - Ticket 5550: Correspondence added
From: Sam Hartman <hartmans@mit.edu> To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6 Date: Tue, 01 May 2007 12:16:36 -0400 RT-Send-Cc: >>>>> "Tom" == Tom Yu via RT <rt-comment@krbdev.mit.edu> writes: >>>>> "Sam" == Sam Hartman via RT <rt-comment@krbdev.mit.edu> writes: Sam> You need to somehow order the enctypes though so that Sam> enctypes that end up in the restricted application set come Sam> first (and in their order) when using conf_ktypes. Sam> If you do that, this sounds reasonable. Tom> Are you suggesting this as an alternative to repeating the Tom> request for the final ticket using conf_ktypes=0? No, in addition to. If the final result is one of the applications enctypes you need to make sure that the right enctype was chosen. That depends on ordering.		Download (untitled) 669b
Mon May 14 16:52:21 2007	tlyu - Ticket 5550: Ticket 5550 MergedInto ticket 4950.
Mon May 14 18:58:51 2007	tlyu - Status changed from new to open
Mon May 14 18:58:51 2007	tlyu - Given to tlyu
Mon May 14 18:58:52 2007	tlyu - Version_reported 1.6 added
Mon May 14 18:58:52 2007	tlyu - Target_Version 1.7 changed to 1.6.2
Thu Jul 5 15:23:41 2007	tlyu - Target_Version 1.6.2 changed to 1.6.3
Fri Aug 3 17:16:25 2007	tlyu - Status changed from open to resolved
Fri Aug 3 17:16:25 2007	tlyu - Tags pullup added
Fri Aug 3 17:16:25 2007	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit Based on Apple's patch, during the referrals loop, check to see if the session key enctype of a returned credential for the final service is among the enctypes explicitly selected by the application, and retry with old_use_conf_ktypes if it is not. Commit By: tlyu Revision: 19748 Changed Files: _U trunk/ U trunk/src/lib/krb5/krb/gc_frm_kdc.c		Download (untitled) 352b
Fri Aug 3 20:30:53 2007	tlyu - Version_Fixed 1.6.3 added
Fri Aug 3 20:30:54 2007	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit back-port r19748 from trunk Based on Apple's patch, during the referrals loop, check to see if the session key enctype of a returned credential for the final service is among the enctypes explicitly selected by the application, and retry with old_use_conf_ktypes if it is not. Commit By: tlyu Revision: 19751 Changed Files: _U branches/krb5-1-6/ U branches/krb5-1-6/src/lib/krb5/krb/gc_frm_kdc.c		Download (untitled) 409b