Return-Path: Received: from PCH.mit.edu (PCH.MIT.EDU [18.7.21.50]) by krbdev.mit.edu (Postfix) with ESMTPS id 7AD7B3FB2E; Fri, 8 Jan 2016 07:40:47 -0500 (EST) Received: from pch.mit.edu (localhost.localdomain [127.0.0.1]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id u08CelMn020922; Fri, 8 Jan 2016 07:40:47 -0500 Received: from mailhub-auth-3.mit.edu (mailhub-auth-3.mit.edu [18.9.21.43]) by PCH.mit.edu (8.13.8/8.12.8) with ESMTP id u0898neA010867 for ; Fri, 8 Jan 2016 04:08:49 -0500 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id u0898msf006670 for ; Fri, 8 Jan 2016 04:08:49 -0500 Received: from localhost (buzzword-bingo.mit.edu [18.9.64.24]) (authenticated bits=0) (User authenticated as andersk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u0898l94022506 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for ; Fri, 8 Jan 2016 04:08:48 -0500 Date: Fri, 8 Jan 2016 04:08:47 -0500 (EST) From: Anders Kaseorg To: krb5-bugs@mit.edu Subject: ksu broken with 2FA principals again Message-ID: User-Agent: Alpine 2.10 (DEB 1266 2009-07-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=UTF-8 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by PCH.mit.edu id u0898neA010867 X-Mailman-Approved-At: Fri, 08 Jan 2016 07:40:46 -0500 X-Beenthere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1.6 Precedence: list Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu Content-Length: 2315 In krb5 1.13, ksu is unable to authenticate with my andersk/root@ATHENA.MIT.EDU principal, which is secured with Duo two-factor authentication: $ ksu $USER -n andersk/root WARNING: Your password may be exposed if you enter it here and are logged in remotely using an unsecure (non-encrypted) channel. Kerberos password for andersk/root@ATHENA.MIT.EDU: : ksu: Cannot read password while getting initial credentials Goodbye I reported a similar but separate problem with ksu at http://krbdev.mit.edu/rt/Ticket/Display.html?id=7862; that one was fixed in krb5-1.13-alpha1~225 and krb5-1.12.2-final~55. This time, it doesn’t even get as far as prompting for the second challenge. kinit still works, and ksu with non-2FA principals still works. Bisection searches on various branches show that this new problem showed up here: commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de Author: Nalin Dahyabhai Date: Tue Sep 16 13:50:05 2014 -0400 Fix ksu crash in cases where it obtains the TGT In order to allow ksu to use any locally-present service key for verifying creds, the previous change to ksu switched from using a retrieved or obtained TGT to fetch creds for the local "host" service, and then passing those creds to krb5_verify_init_creds(), to passing the retrieved TGT directly to krb5_verify_init_creds(). It did not take care to retrieve the TGT from the temporary ccache if it had obtained them, and in those cases it would attempt to verify NULL creds. Modify the krb5_get_tkt_via_passwd() function to call krb5_get_init_creds_password(), to pass back the freshly-obtained creds, to take a "krb5_get_init_creds_opt" pointer instead of a locally-defined options structure, and rename it to ksu_get_tgt_via_passwd(). ticket: 8015 (new) target_version: 1.13 tags: pullup GOOD krb5-1.14-alpha1~237 (59cbb76 Document KDC TCP listener change) BAD krb5-1.14-alpha1~236 (5fd5a67 Fix ksu crash in cases where it obtains the TGT) GOOD krb5-1.13-beta1~9 (8f8cf0e Document KDC TCP listener change) BAD krb5-1.13-beta1~8 (5ccab82 Fix ksu crash in cases where it obtains the TGT) Current master (09e8307) and krb5-1.13 (d19f02e) are still broken. krb5-1.12 (d93407b) is unaffected. Anders