Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) X-RT-Original-Encoding: iso-8859-1 Content-Length: 2867 From krb5-bugs-incoming-bounces@PCH.MIT.EDU Fri Sep 12 12:14:08 2008 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.12.9) with ESMTP id m8CGE8o4011378; Fri, 12 Sep 2008 12:14:08 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m8CGE3A3026769; Fri, 12 Sep 2008 12:14:03 -0400 Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id m8CFjWho020381 for ; Fri, 12 Sep 2008 11:45:32 -0400 Received: from mit.edu (M24-004-BARRACUDA-3.MIT.EDU [18.7.7.114]) by fort-point-station.mit.edu (8.13.6/8.9.2) with ESMTP id m8CFjK4u005949 for ; Fri, 12 Sep 2008 11:45:21 -0400 (EDT) Received: from spam.ifs.umich.edu (spam.ifs.umich.edu [141.211.1.36]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mit.edu (Spam Firewall) with ESMTP id 5C7A510ACBC3 for ; Fri, 12 Sep 2008 11:45:00 -0400 (EDT) Received: from root by spam.ifs.umich.edu with local (Exim 4.69) (envelope-from ) id 1KeApP-0005uk-UX; Fri, 12 Sep 2008 11:44:59 -0400 To: krb5-bugs@mit.edu Subject: kadm5 setkey can create illegal keys in kdb From: mdw@umich.edu X-send-pr-version: 3.99 Message-Id: Date: Fri, 12 Sep 2008 11:44:59 -0400 X-Spam-Score: 0.55 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-Mailman-Approved-At: Fri, 12 Sep 2008 12:14:01 -0400 Cc: kwc@umich.edu, vpliakas@umich.edu, mdw@umich.edu X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: mdw@umich.edu Sender: krb5-bugs-incoming-bounces@PCH.MIT.EDU Errors-To: krb5-bugs-incoming-bounces@PCH.MIT.EDU >Submitter-Id: net >Originator: mdw@umich.edu >Organization: University of Michigan >Confidential: no >Synopsis: kadm5 setkey rpc can create illegal keys in kdb. >Severity: non-critical >Priority: low >Category: krb5-admin >Class: sw-bug >Release: 1.6.3 >Environment: dell pe1750 running umce linux, krb5 1.6.3+patches System: Linux strawdogs.ifs.umich.edu 2.6.23.1 #3 SMP Tue Oct 23 11:37:43 EDT 2007 i686 GNU/Linux Architecture: i686 >Description: While the cli doesn't expose it, there's a "setkey" rpc in the kadm5 protocol. Using this provides an elegant way to handle adding service keys such as for afs with less downtime. >How-To-Repeat: Write a program which calls kadm5_setkey_principal_3. Run it on a principal. Then run kadmin & look at the resulting key type. In 1.4.3 this worked fine; in stock 1.6.3, this results in an enctype and kvno of 0. >Fix: Run-time workaround, don't call kadm5_setkey_principal_3. Compile-time fix, apply the patch in /afs/umich.edu/group/itd/build/mdw/krb5.15x/patches/krb5-1.6.3-setkey1.patch