Skip Menu |
 

Download (untitled) / with headers
text/plain 6.7KiB
From Nicolas.Williams@ubsw.com Thu Oct 18 14:56:08 2001
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.72.0.53])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id OAA14897
for <bugs@RT-11.mit.edu>; Thu, 18 Oct 2001 14:56:08 -0400 (EDT)
Received: from gate.stm.swissbank.com (gate.stm.ubswarburg.com [151.191.1.10])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id OAA20821
for <krb5-bugs@mit.edu>; Thu, 18 Oct 2001 14:56:07 -0400 (EDT)
Received: (from smap@localhost)
by gate.stm.swissbank.com (8.8.8/8.8.8) id OAA23141
for <krb5-bugs@mit.edu>; Thu, 18 Oct 2001 14:57:47 -0400 (EDT)
Received: from <Nicolas.Williams@ubsw.com> (twelve.ubswarburg.com [192.168.0.6]) by gate via smap (V2.0)
id xma022973; Thu, 18 Oct 2001 14:57:17 -0400
Received: from sm0p9035pos.stm.swissbank.com (virscan3 [192.168.0.6])
by virscan3.swissbank.com (8.8.8/8.8.8) with ESMTP id OAA26435
for <krb5-bugs@mit.edu>; Thu, 18 Oct 2001 14:55:46 -0400 (EDT)
Received: from sm0d1989cmp.stm.swissbank.com (sm0d1989cmp.stm.swissbank.com [151.191.119.89])
by sm0p9035pos.stm.swissbank.com (8.8.8/8.8.8) with ESMTP id OAA09460
for <krb5-bugs@mit.edu>; Thu, 18 Oct 2001 14:55:24 -0400 (EDT)
Received: (willian@localhost) by sm0d1989cmp.stm.swissbank.com (8.8.8+Sun/8.6.12) id OAA20160; Thu, 18 Oct 2001 14:55:24 -0400 (EDT)
Message-Id: <200110181855.OAA20160@sm0d1989cmp.stm.swissbank.com>
Date: Thu, 18 Oct 2001 14:55:24 -0400 (EDT)
From: Nicolas Williams <Nicolas.Williams@ubsw.com>
Reply-To: Nicolas.Williams@ubsw.com
To: krb5-bugs@mit.edu
Subject: ETYPE-INFO handling bug
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 1006
>Category: krb5-libs
>Synopsis: MIT krb5 clients (all versions) don't check ALL ETYPE-INFO entries, only the first one
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Oct 18 14:57:00 EDT 2001
>Last-Modified:
>Originator: Nicolas Williams
>Organization:
UBS Warburg / Perot Systems Corp.
--
Show quoted text
>Release: krb5-1.2.2
>Environment:
Solaris 2.6 and 8, MIT krb5 v1.2.2 KDCs
Show quoted text
>Description:

Older releases of MIT krb5 don't cope well with newer KDCs that support
new enctypes, even when the principals involved have keys in the
enctypes supported by the older clients.

Here's what I've found:

- decode_krb5_etype_info() produces an array of krb5_etype_info_entry
(this is good)

- krb5_do_preauth() [v1.1.x, v1.2.x] does not try (*pa_types[j].fct)()
for each krb5_etype_info_entry, only the first one -- if
(*pa_types[j].fct)() returns KRB5_PROG_ETYPE_NOSUPP then
krb5_do_preauth() should try the next krb5_etype_info_entry

- krb5_obtain_padata() [pre-v1.1.x] does not try (*key_proc)() each
krb5_etype_info_entry, only the first one -- if (*key_proc)() returns
KRB5_PROG_ETYPE_NOSUPP then krb5_obtain_padata() should try the next
krb5_etype_info_entry

- the KDC COULD (SHOULD!) sort the ETYPE_INFO sequence such that the
enctype requested by the client in the KDC REQ is put first in the
sequence, but doesn't, instead, the ETYPE_INFO sequence is generated
in the order returned by krb5_dbe_search_enctype(), which is the
order in which the keys for the given principal were created by
kadmin.

Show quoted text
>How-To-Repeat:

Using a 1.1.x or 1.2.x KDC and a pre-DES3 client:

- setup a principal with des and des keys
- set the requires_preauth flag for that principal
- attempt to kinit with the older client

Show quoted text
>Fix:

Here's a patch for the KDC which sorts the ETYPE_INFO sequence as
discussed above. The clients should be patched to fix the problem
in perpetuity.

--- orig/kdc/kdc_preauth.c Wed, 14 Mar 2001 14:20:32 -0500
+++ current/kdc/kdc_preauth.c Thu, 11 Oct 2001 14:17:42 -0400
@@ -501,6 +501,74 @@
return retval;
}

+static void
+sort_etype_info(context, request, etype_info)
+ krb5_context context;
+ krb5_kdc_req * request;
+ krb5_etype_info_entry **etype_info;
+{
+ krb5_etype_info_entry *tmp;
+ int i, j, e;
+ krb5_boolean similar;
+
+ if (etype_info == NULL)
+ return;
+
+ /* First, move up etype_info_entries whose enctype exactly matches a
+ * requested enctype.
+ */
+ e = 0;
+ for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
+ {
+ if (request->ktype[i] == etype_info[e]->etype)
+ {
+ e++;
+ continue;
+ }
+ for ( j = e+1 ; etype_info[j] ; j++ )
+ if (request->ktype[i] == etype_info[j]->etype)
+ break;
+ if (etype_info[j] == NULL)
+ continue;
+
+ tmp = etype_info[j];
+ etype_info[j] = etype_info[e];
+ etype_info[e] = tmp;
+ e++;
+ }
+
+ /* Then move up etype_info_entries whose enctype is similar to a
+ * requested enctype.
+ */
+ e=0;
+ for ( i = 0 ; i < request->nktypes && etype_info[e] != NULL ; i++ )
+ {
+ if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[e]->etype, &similar) != 0)
+ continue;
+
+ if (similar)
+ {
+ e++;
+ continue;
+ }
+ for ( j = e+1 ; etype_info[j] ; j++ )
+ {
+ if (krb5_c_enctype_compare(context, request->ktype[i], etype_info[j]->etype, &similar) != 0)
+ continue;
+
+ if (similar)
+ break;
+ }
+ if (etype_info[j] == NULL)
+ continue;
+
+ tmp = etype_info[j];
+ etype_info[j] = etype_info[e];
+ etype_info[e] = tmp;
+ e++;
+ }
+}
+
/*
* This function returns the etype information for a particular
* client, to be passed back in the preauth list in the KRB_ERROR
@@ -571,6 +639,7 @@
break;
}
}
+ sort_etype_info(context, request, entry);
retval = encode_krb5_etype_info((const krb5_etype_info_entry **) entry,
&scratch);
if (retval)



Visit our website at http://www.ubswarburg.com

This message contains confidential information and is intended only
for the individual named. If you are not the named addressee you
should not disseminate, distribute or copy this e-mail. Please
notify the sender immediately by e-mail if you have received this
e-mail by mistake and delete this e-mail from your system.

E-mail transmission cannot be guaranteed to be secure or error-free
as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. The sender therefore
does not accept liability for any errors or omissions in the contents
of this message which arise as a result of e-mail transmission. If
verification is required please request a hard-copy version. This
message is provided for informational purposes and should not be
construed as a solicitation or offer to buy or sell any securities or
related financial instruments.

Show quoted text
>Audit-Trail:
>Unformatted:
To: krb5-bugs@mit.edu
Cc: 169014-forwarded@bugs.debian.org
Subject: [Richard Hanschu <richardh@examen.com>] Bug#169014: krb5-kdc no longer interops with Solaris SEAM
From: Sam Hartman <hartmans@debian.org>
Date: Thu, 14 Nov 2002 21:24:26 -0500
The following Debian bug report describes an interop problem between
Solaris and MIT Kerberos 1.2.6 or greater. The patch under discussion
is the patch we introduced in 1.2.6 to send etype_info.

Apparently we send etype_info corresponding to etypes that the client
didn't request and thus doesn't understand.

This seems to be fairly close to a violation of the extensibility
guidelines in the Kerberos protocol spec.
Download (untitled)
message/rfc822 2.5KiB
Return-Path: <debbugs@master.debian.org>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP; Wed, 13 Nov
2002 19:19:34 -0500
X-Sieve: CMU Sieve 2.2
Return-Path: <debbugs@master.debian.org>
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by suchdamage.org (Postfix) with ESMTP id B2CC0131A9
for <hartmans@suchdamage.org>; Wed, 13 Nov 2002 19:19:33 -0500 (EST)
Received: from master.debian.org (master.debian.org [65.125.64.135])
by fort-point-station.mit.edu (8.9.2/8.9.2) with ESMTP id TAA22840
for <hartmans@mit.edu>; Wed, 13 Nov 2002 19:19:32 -0500 (EST)
Received: from debbugs by master.debian.org with local (Exim 3.12 1
(Debian))
id 18C7hs-0005NF-00; Wed, 13 Nov 2002 18:18:04 -0600
X-Loop: owner@bugs.debian.org
Subject: Bug#169014: krb5-kdc no longer interops with Solaris SEAM
Reply-To: Richard Hanschu <richardh@examen.com>,
169014@bugs.debian.org
Resent-From: Richard Hanschu <richardh@examen.com>
Resent-To: debian-bugs-dist@lists.debian.org
Resent-Cc: Sam Hartman <hartmans@debian.org>,
krb5@packages.qa.debian.org
Resent-Date: Thu, 14 Nov 2002 00:18:03 GMT
Resent-Message-ID: <handler.169014.B.103723295419295@bugs.debian.org>
X-Debian-PR-Message: report 169014
X-Debian-PR-Package: krb5-kdc
Received: via spool by submit@bugs.debian.org id=B.103723295419295
(code B ref -1); Thu, 14 Nov 2002 00:18:03 GMT
From: Richard Hanschu <richardh@examen.com>
To: submit@bugs.debian.org
X-Mailer: Ximian Evolution 1.0.5
Date: 13 Nov 2002 16:15:21 -0800
Message-Id: <1037232921.21044.27.camel@claudius>
Delivered-To: submit@bugs.debian.org
Resent-Sender: Debian BTS <debbugs@master.debian.org>
X-Spam-Status: No, hits=-4.5 required=5.0
tests=SENT_BY_BTS,FORGED_RCVD_FOUND version=2.20
X-Spam-Level:
MIME-Version: 1.0

Package: krb5-kdc
Version: 1.2.4-5woody3



After upgrading krb5-kdc from 1.2.4-5 to 1.2.4-5woody3 I lost the
ability for Solaris8 systems to get a tgt from the kdc. The solaris
system complains thusly:

kinit: Program lacks support for encryption type while getting initial
credentials

No conf files were changed during the upgrade. SASL (LDAP) and OpenSSL
are still able to authenticate as well as the debian clients.

I highly suspect that the bug fix #162794 caused this problem as all
discussion that I could find about this error message involve enctype
issues with Heimdal and Solaris.

Please contact me if you require more info or testing. I plan on
reverting to 1.2.4-5woody1 this evening to see if this removes the
issue.

-Richard

Richard Hanschu
Examen, Inc
richardh@examen.com
To: Richard Hanschu <richardh@examen.com>
Cc: 169014@bugs.debian.org, rt-comment@krbdev.mit.edu
Subject: [krbdev.mit.edu #1259]Re: Bug#169014: krb5-kdc no longer interops with Solaris SEAM
From: Sam Hartman <hartmans@debian.org>
Date: Thu, 14 Nov 2002 21:28:03 -0500
RT-Send-Cc:

I b.believe you can work around this either by disabling
preauth_required on principals that need to log in from Solaris or
dropping des3-hmac-sha1 from supported_enctypes in your kdc.conf and
changing passwords.

Both of these work arounds have security implications unfortunately,
although not using des3 probably isn't that serious if you have a lot
of Solaris clients already.
To: rt@krbdev.mit.edu
Subject: [krbdev@mit.edu #1006]Correct solution
Date: Wed, 12 Feb 2003 15:23:22 -0500 (EST)
From: hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:


In this bug Nico suggests that the KDC sort the etype info based on
what the client requested. I actually think the client should sort
the returned etype info based on what it requested and should check to make sure the etype is supported as it does this sort.

The KDC should not return etypes that the client didn't request.
From: hartmans@mit.edu
Subject: CVS Commit
The client sorts the enctype list returned by etype_info ordering
enctypes that it requested or that are similar to ones it requested
first.

The KDC only includes enctypes in etype_info if they were requested by
the client.


To generate a diff of this commit:



cvs diff -r5.247 -r5.248 krb5/src/kdc/ChangeLog
cvs diff -r5.33 -r5.34 krb5/src/kdc/kdc_preauth.c
cvs diff -r5.371 -r5.372 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.20 -r5.21 krb5/src/lib/krb5/krb/preauth2.c
From: hartmans@mit.edu
Subject: CVS Commit
Fix typo that caused infinite loop in previous patch.


To generate a diff of this commit:



cvs diff -r5.248 -r5.249 krb5/src/kdc/ChangeLog
cvs diff -r5.34 -r5.35 krb5/src/kdc/kdc_preauth.c