Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 3438 From chas@cmf.nrl.navy.mil Sun Jun 27 15:37:54 1999 Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA17541 for ; Sun, 27 Jun 1999 15:37:54 -0400 Received: from [134.207.10.161] by MIT.EDU with SMTP id AA06263; Sun, 27 Jun 99 15:37:15 EDT Received: from fermi.cmf.nrl.navy.mil (fermi.cmf.nrl.navy.mil [134.207.10.73]) by ginger.cmf.nrl.navy.mil (8.9.3/8.9.3) with ESMTP id PAA27510; Sun, 27 Jun 1999 15:37:17 -0400 (EDT) Received: (chas@localhost) by fermi.cmf.nrl.navy.mil (8.6.12/8.6.11) id PAA01189; Sun, 27 Jun 1999 15:37:15 -0400 Message-Id: <199906271937.PAA01189@fermi.cmf.nrl.navy.mil> Date: Sun, 27 Jun 1999 15:37:15 -0400 From: Chas Williams Reply-To: chas@cmf.nrl.navy.mil To: krb5-bugs@MIT.EDU Cc: kenh@cmf.nrl.navy.mil Subject: new kinit and h/w preauth X-Send-Pr-Version: 3.99 >Number: 730 >Category: krb5-libs >Synopsis: h/w preauth seems broken in krb5_get_init_creds_password >Confidential: no >Severity: serious >Priority: medium >Responsible: krb5-unassigned >State: open >Class: sw-bug >Submitter-Id: unknown >Arrival-Date: Sun Jun 27 15:38:01 EDT 1999 >Last-Modified: >Originator: Chas Williams >Organization: Naval Research Laboratory, Washington, DC >Release: krb5-current-19990626 >Environment: System: SunOS fermi 5.6 Generic_105181-11 sun4d sparc SUNW,SPARCserver-1000 Architecture: sun4 >Description: attempting to use the new kinit (using the krb5_get_init_creds_password routine) to get a ticket and my principal has the requires hwauth flag set, i fail to get a ticket with the error message, 'Bad password' % ./kinit CryptoCard RB-1 Press ENTER and compare this challenge to the one on your display Challenge is [42058226], Enter the displayed response: 86566993 kinit: Password incorrect note, that it DIDNT actually prompt me for a password. it just said, bad password. if a give a bad response to the challenge i get back 'preauth failed' which is correct >How-To-Repeat: see above. >Fix: apparently, the problems lies in gic_pwd.c (but i am not an expert on this code, so this is mostly a guess) near the beginning of krb5_get_as_key_password(), we see: /* if there's already a key of the correct etype, we're done. if the etype is wrong, free the existing key, and make a new one. */ if (as_key->length) { if (as_key->enctype == etype) return 0; krb5_free_keyblock_contents(context, as_key); as_key->length = 0; } after the hw preauth exchanges, as_key->enctype = etype but i havent been asked for my password, and since this routine is the one that does that job, this function shouldnt return 0 at this point, it should continue (w/o hw preauth as_key->length = 0 i believe and this code isnt triggered) i 'fixed' it changing it to: if (as_key->length) { if (as_key->enctype != etype) { krb5_free_keyblock_contents(context, as_key); as_key->length = 0; } } after this change, kinit asks for my password after the preauth exchange and i am able to get a ticket. this change doesnt seem to bother principals not using h/w preauth. on a side note, i dont think it should display my response to the challenge, i suspect the hidden flag isnt being set. >Audit-Trail: >Unformatted: