Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.427 (Entity 5.427) X-RT-Original-Encoding: iso-8859-1 Content-Length: 10974 From krb5-bugs-incoming-bounces@PCH.mit.edu Wed Nov 17 09:09:48 2010 Return-Path: Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (Postfix) with ESMTP id D5E193E618; Wed, 17 Nov 2010 09:09:47 -0500 (EST) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id oAHE9lxc027722; Wed, 17 Nov 2010 09:09:47 -0500 Received: from mailhub-dmz-1.mit.edu (MAILHUB-DMZ-1.MIT.EDU [18.9.21.41]) by pch.mit.edu (8.13.6/8.12.8) with ESMTP id oAHBaV26032567 for ; Wed, 17 Nov 2010 06:36:31 -0500 Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU [18.7.68.36]) by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id oAHBaKMl008029 for ; Wed, 17 Nov 2010 06:36:30 -0500 X-AuditID: 12074424-b7b0bae000000a05-a6-4ce3be3ea0d9 Received: from piquet.bath.ac.uk ( [138.38.0.36]) by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with SMTP id 6A.43.02565.E3EB3EC4; Wed, 17 Nov 2010 06:36:30 -0500 (EST) Received: from bahamontes.bath.ac.uk ([138.38.56.200]) by piquet.bath.ac.uk with esmtps (TLSv1:DHE-RSA-AES256-SHA:256) (Exim 4) (envelope-from ) id 1PIgJR-0005Ty-8D; Wed, 17 Nov 2010 11:36:29 +0000 Received: from ccsdhd by bahamontes.bath.ac.uk with local (envelope-from ) id 1PIgJQ-0004ix-Fp; Wed, 17 Nov 2010 11:36:28 +0000 Date: Wed, 17 Nov 2010 11:36:28 +0000 Message-Id: To: krb5-bugs@mit.edu Subject: krb5-admin : possible bug ? From: Dennis Davis X-send-pr-version: 3.99 X-Scanner: f5fc8eb8bae91379a9a301d816b7e170ccac546c X-Brightmail-Tracker: AAAAAA== X-Mailman-Approved-At: Wed, 17 Nov 2010 09:09:43 -0500 Cc: Dennis Davis X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Reply-To: Dennis Davis Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu >Submitter-Id: net >Originator: Dennis Davis >Organization: BUCS, University of Bath, Bath, BA2 7AY, UK >Confidential: no >Synopsis: The +preauth default in kdc.conf isn't always obeyed. >Severity: non-critical >Priority: low >Category: krb5-admin >Class: sw-bug >Release: 1.8.3 >Environment: System: OpenBSD bahamontes.bath.ac.uk 4.8 GENERIC.MP#359 i386 >Description: I'm running an experimental krb5-1.8.3 server and I've noticed that I get different (and erroneous?) behaviour from krb5-1.7.1 and krb5-1.6.3 kadmin clients. All of this is on various releases of the OpenBSD operating system, although that shouldn't be relevant. kdc.conf on my server looks like: [kdcdefaults] kdc_ports = 88 [realms] BATH.AC.UK = { database_name = /kerberosV/var/krb5kdc/principal admin_keytab = /kerberosV/var/krb5kdc/kadm5.keytab acl_file = /kerberosV/var/krb5kdc/kadm5.acl dict_file = /kerberosV/var/krb5kdc/kadm5.dict key_stash_file = /kerberosV/var/krb5kdc/.k5.BATH.AC.UK kadmind_port = 749 max_life = 10h 0m 0s max_renewable_life = 7d 0h 0m 0s master_key_type = des-cbc-crc supported_enctypes = aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal des-cbc-crc:normal des-cbc-crc:v4 default_principal_flags = +postdateable,+forwardable,+tgt-based,+renewable,+proxiable,+dup-skey,+allow-tickets,+service,+preauth } This should be fairly standard, with the exception of the "+preauth" flag being added to "default_principal_flags" as an addition to the default flags. If I create principals using a krb5-1.6.3 or krb5-1.7.1 kadmin client *and* specify the -randkey argument, the principal is created without the +preauth flag being set. The +preauth is set only when I use a krb5-1.8.3 kadmin client with -randkey. This is demonstrated in the following terminal session: Script started on Tue Nov 16 16:15:19 2010 ancho.bath.ac.uk ?// krb5-config --all Version: Kerberos 5 release 1.6.3 Vendor: Massachusetts Institute of Technology Prefix: /kerberosV Exec_prefix: /kerberosV ancho.bath.ac.uk ?// kadmin Authenticating as principal ccsdhd/admin@BATH.AC.UK with password. Password for ccsdhd/admin@BATH.AC.UK: kadmin: addprinc bungle1 WARNING: no policy specified for bungle1@BATH.AC.UK; defaulting to no policy Enter password for principal "bungle1@BATH.AC.UK": Re-enter password for principal "bungle1@BATH.AC.UK": Principal "bungle1@BATH.AC.UK" created. kadmin: getprinc bungle1 Principal: bungle1@BATH.AC.UK Expiration date: [never] Last password change: Tue Nov 16 16:16:19 GMT 2010 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Nov 16 16:16:19 GMT 2010 (ccsdhd/admin@BATH.AC.UK) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with CRC-32, Version 4 Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin: addprinc -randkey bungle2 WARNING: no policy specified for bungle2@BATH.AC.UK; defaulting to no policy Principal "bungle2@BATH.AC.UK" created. kadmin: getprinc bungle2 Principal: bungle2@BATH.AC.UK Expiration date: [never] Last password change: Tue Nov 16 16:16:56 GMT 2010 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Nov 16 16:16:56 GMT 2010 (ccsdhd/admin@BATH.AC.UK) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, ArcFour with HMAC/md5, no salt Key: vno 2, DES cbc mode with CRC-32, no salt Attributes: Policy: [none] kadmin: quit ancho.bath.ac.uk ?// krb5-config --all Version: Kerberos 5 release 1.7.1 Vendor: Massachusetts Institute of Technology Prefix: /kerberosV Exec_prefix: /kerberosV ancho.bath.ac.uk ?// kadmin Authenticating as principal ccsdhd/admin@BATH.AC.UK with password. Password for ccsdhd/admin@BATH.AC.UK: kadmin: addprinc bungle3 WARNING: no policy specified for bungle3@BATH.AC.UK; defaulting to no policy Enter password for principal "bungle3@BATH.AC.UK": Re-enter password for principal "bungle3@BATH.AC.UK": Principal "bungle3@BATH.AC.UK" created. kadmin: getprinc bungle3 Principal: bungle3@BATH.AC.UK Expiration date: [never] Last password change: Tue Nov 16 16:17:44 GMT 2010 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Nov 16 16:17:45 GMT 2010 (ccsdhd/admin@BATH.AC.UK) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with CRC-32, Version 4 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin: addprinc -randkey bungle4 WARNING: no policy specified for bungle4@BATH.AC.UK; defaulting to no policy Principal "bungle4@BATH.AC.UK" created. kadmin: getprinc bungle4 Principal: bungle4@BATH.AC.UK Expiration date: [never] Last password change: Tue Nov 16 16:18:21 GMT 2010 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Nov 16 16:18:21 GMT 2010 (ccsdhd/admin@BATH.AC.UK) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, ArcFour with HMAC/md5, no salt Key: vno 2, DES cbc mode with CRC-32, no salt MKey: vno 1 Attributes: Policy: [none] kadmin: quit ancho.bath.ac.uk ?// krb5-config --all Version: Kerberos 5 release 1.8.3 Vendor: Massachusetts Institute of Technology Prefix: /kerberosV Exec_prefix: /kerberosV ancho.bath.ac.uk ?// kadmin Authenticating as principal ccsdhd/admin@BATH.AC.UK with password. Password for ccsdhd/admin@BATH.AC.UK: kadmin: addprinc bungle5 WARNING: no policy specified for bungle5@BATH.AC.UK; defaulting to no policy Enter password for principal "bungle5@BATH.AC.UK": Re-enter password for principal "bungle5@BATH.AC.UK": Principal "bungle5@BATH.AC.UK" created. kadmin: getprinc bungle5 Principal: bungle5@BATH.AC.UK Expiration date: [never] Last password change: Tue Nov 16 16:19:12 GMT 2010 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Nov 16 16:19:12 GMT 2010 (ccsdhd/admin@BATH.AC.UK) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 6 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Key: vno 1, DES cbc mode with CRC-32, Version 4 MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin: addprinc -randkey bungle6 WARNING: no policy specified for bungle6@BATH.AC.UK; defaulting to no policy Principal "bungle6@BATH.AC.UK" created. kadmin: getprinc bungle6 Principal: bungle6@BATH.AC.UK Expiration date: [never] Last password change: Tue Nov 16 16:19:36 GMT 2010 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Tue Nov 16 16:19:36 GMT 2010 (ccsdhd/admin@BATH.AC.UK) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, ArcFour with HMAC/md5, no salt Key: vno 1, DES cbc mode with CRC-32, no salt MKey: vno 1 Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin: quit ancho.bath.ac.uk ?// exit Script done on Tue Nov 16 16:19:50 2010 >How-To-Repeat: See above. >Fix: Not known.