Skip Menu |
 

From kwc@babylon.citi.umich.edu Wed Dec 10 13:44:09 2003
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU [18.7.7.76]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id NAA02468; Wed, 10 Dec 2003 13:44:08 -0500 (EST)
Received: from citi.umich.edu (citi.umich.edu [141.211.133.111])
by fort-point-station.mit.edu (8.12.4/8.9.2) with ESMTP id hBAIi8VA017297
for <krb5-bugs@mit.edu>; Wed, 10 Dec 2003 13:44:08 -0500 (EST)
Received: from babylon.citi.umich.edu (babylon.citi.umich.edu [141.211.133.5])
(using TLSv1 with cipher EDH-DSS-DES-CBC3-SHA (168/168 bits))
(No client certificate requested)
by citi.umich.edu (Postfix) with ESMTP id C9BB5207E5
for <krb5-bugs@mit.edu>; Wed, 10 Dec 2003 13:44:07 -0500 (EST)
Received: (from kwc@localhost)
by babylon.citi.umich.edu (8.12.10/8.12.10/Submit) id hBAIi6Is022321;
Wed, 10 Dec 2003 13:44:06 -0500
Date: Wed, 10 Dec 2003 13:44:06 -0500
Message-Id: <200312101844.hBAIi6Is022321@babylon.citi.umich.edu>
To: krb5-bugs@mit.edu
Subject: K4 lifetime issues
From: kwc@citi.umich.edu
Reply-To: kwc@citi.umich.edu
Cc:
X-send-pr-version: 3.99


Show quoted text
>Submitter-Id: net
>Originator: Kevin Coffman
>Organization:
University of Michigan -- CITI
Show quoted text
>Confidential: no
>Synopsis: Problems with ticket lifetimes in K4
>Severity: serious
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-1.3.1
>Environment:

System: Linux babylon.citi.umich.edu 2.4.21-4.ELsmp #1 SMP Fri Oct 3 17:52:56 EDT 2003 i686 i686 i386 GNU/Linux
Architecture: i686

Show quoted text
>Description:
Resetting the issue time confuses clients into thinking there is
a clock skew problem

A TGS request for unlimited lifetime results in an endtime of
0xffffffff.

Show quoted text
>How-To-Repeat:
The default Windows OpenAFS client uses K4. It had problems getting
tokens with the adjustment of the issue time.

KTH/Heimdal code requests unlimited lifetime service tickets.
Show quoted text
>Fix:

[ 61 ] rock/.../kdc% cvs diff -u -r MIT_1_3_1 kerberos_v4.c
Index: kerberos_v4.c
===================================================================
RCS file: /afs/umich.edu/group/itd/software/packages/k/kerberos-5/cvs/krb5/src/kdc/kerberos_v4.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 kerberos_v4.c
--- kerberos_v4.c 21 Jul 2003 20:28:38 -0000 1.1.1.3
+++ kerberos_v4.c 10 Dec 2003 18:15:15 -0000
@@ -743,6 +743,7 @@
v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
+#if !defined(UMICH)
/*
* Adjust issue time backwards if necessary, due to
* roundup in krb_time_to_life(). XXX This frobs
@@ -750,6 +751,7 @@
*/
if (v4endtime > v4req_end)
kerb_time.tv_sec -= v4endtime - v4req_end;
+#endif

#ifdef NOENCRYPTION
memset(session_key, 0, sizeof(C_Block));
@@ -932,11 +934,21 @@
/* Bound requested lifetime with service and user */
v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->life);
v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
+#if defined(UMICH)
+ /*
+ * Even if they requested unlimited lifetime,
+ * it is still limited by the end of their TGT
+ */
+ if (v4req_end == 0xffffffff)
+ v4req_end = v4endtime;
+ else
+#endif
v4req_end = min(v4endtime, v4req_end);
v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);

lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
+#if !defined(UMICH)
/*
* Adjust issue time backwards if necessary, due to
* roundup in krb_time_to_life(). XXX This frobs
@@ -944,6 +956,7 @@
*/
if (v4endtime > v4req_end)
kerb_time.tv_sec -= v4endtime - v4req_end;
+#endif

/* unseal server's key from master key */
memcpy(key, &s_name_data.key_low, 4);
To: rt@krbdev.mit.edu
Cc: krb5-prs@mit.edu
Subject: Re: [krbdev.mit.edu #2058] Problems with ticket lifetimes in K4
From: Sam Hartman <hartmans@mit.edu>
Date: Wed, 10 Dec 2003 14:15:00 -0500
RT-Send-Cc:
Kevin, I find this bug report unreadable. I have no idea what you're
complanaing about, why you think it is wrong, or why you think your
fix is correct.

If you want a reasonable probability of the problem being fixed,
please step back, explain the issue clearly and explain what's going
on. Then explain what your fix does.

Thanks.
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2058] Problems with ticket lifetimes in K4
Date: Wed, 10 Dec 2003 17:21:53 -0500
From: Kevin Coffman <kwc@citi.umich.edu>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 3.7KiB
Show quoted text
> Kevin, I find this bug report unreadable. I have no idea what you're
> complanaing about, why you think it is wrong, or why you think your
> fix is correct.
>
> If you want a reasonable probability of the problem being fixed,
> please step back, explain the issue clearly and explain what's going
> on. Then explain what your fix does.
>
> Thanks.

There are two different, but related, problems that I ran into
with the the new K4 lifetime code added in 1.3. We've been
carrying local mods that do the afs lifetime handling, so I
appreciate this code being put into the base MIT release.
I'm sorry I didn't have the opportunity to test this earlier.

1) We have many Windows AFS clients which use the default
authentication code found there. This code, unlike all the
other AFS authentication code, uses K4 UDP instead of rx.
The AFS K4 code checks the issue time of the ticket it gets
back and compares it to its local time. If those times are
more than " clock skew" off, it fails with a clock skew error.
The adjustment of the the issue time (kerb_time.tv_sec) causes
the Windows AFS client to fail with a clock skew error.


2) The krb_life_to_time() routine returns 0xffffffff when the
requested lifetime is "unlimited" (0xff in the request). So
v4endtime becomes 0xffffffff. When this is used in the min()
functions, -1 is found to be the minimum. Thus a ticket with
an end time of 0xffffffff is returned. This lifetime should
be limited by the life of the TGT and the service's lifetime.

Let me know if I still haven't been clear enough.

K.C.



Here is a cleaner patch:

Index: kerberos_v4.c
===================================================================
RCS file: /afs/umich.edu/group/itd/software/packages/k/kerberos-5/cvs/kr
b5/src/kdc/kerberos_v4.c,v
retrieving revision 1.1.1.3
diff -u -r1.1.1.3 kerberos_v4.c
--- kerberos_v4.c 21 Jul 2003 20:28:38 -0000 1.1.1.3
+++ kerberos_v4.c 10 Dec 2003 22:16:57 -0000
@@ -743,13 +743,6 @@
v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);
lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
- /*
- * Adjust issue time backwards if necessary, due to
- * roundup in krb_time_to_life(). XXX This frobs
- * kerb_time, which is potentially problematic.
- */
- if (v4endtime > v4req_end)
- kerb_time.tv_sec -= v4endtime - v4req_end;

#ifdef NOENCRYPTION
memset(session_key, 0, sizeof(C_Block));
@@ -932,18 +925,19 @@
/* Bound requested lifetime with service and user */
v4endtime = krb_life_to_time((KRB4_32)ad->time_sec, ad->
life);
v4req_end = krb_life_to_time(kerb_time.tv_sec, req_life);
- v4req_end = min(v4endtime, v4req_end);
+
+ /*
+ * Even if they requested unlimited lifetime,
+ * it is still limited by the end of their TGT
+ */
+ if (v4req_end == 0xffffffff)
+ v4req_end = v4endtime;
+ else
+ v4req_end = min(v4endtime, v4req_end);
v4req_end = min(v4req_end, kerb_time.tv_sec + sk5life);

lifetime = krb_time_to_life(kerb_time.tv_sec, v4req_end);
v4endtime = krb_life_to_time(kerb_time.tv_sec, lifetime);
- /*
- * Adjust issue time backwards if necessary, due to
- * roundup in krb_time_to_life(). XXX This frobs
- * kerb_time, which is potentially problematic.
- */
- if (v4endtime > v4req_end)
- kerb_time.tv_sec -= v4endtime - v4req_end;

/* unseal server's key from master key */
memcpy(key, &s_name_data.key_low, 4);
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2058] Problems with ticket lifetimes in K4
From: Tom Yu <tlyu@mit.edu>
Date: Wed, 10 Dec 2003 21:45:39 -0500
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.4KiB
Show quoted text
>>>>> "kwc" == kwc@citi umich edu via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text
kwc> 1) We have many Windows AFS clients which use the default
kwc> authentication code found there. This code, unlike all the
kwc> other AFS authentication code, uses K4 UDP instead of rx.
kwc> The AFS K4 code checks the issue time of the ticket it gets
kwc> back and compares it to its local time. If those times are
kwc> more than " clock skew" off, it fails with a clock skew error.
kwc> The adjustment of the the issue time (kerb_time.tv_sec) causes
kwc> the Windows AFS client to fail with a clock skew error.

The backwards adjustment of issue time is meant to expire the krb4
ticket at the same time as an equivalent krb4 ticket would expire. I
suppose we could round the lifetime down if necessary, though that
would cause tickets to expire much sooner than expected if you're in
the exponential lifetime region.

Show quoted text
kwc> 2) The krb_life_to_time() routine returns 0xffffffff when the
kwc> requested lifetime is "unlimited" (0xff in the request). So
kwc> v4endtime becomes 0xffffffff. When this is used in the min()
kwc> functions, -1 is found to be the minimum. Thus a ticket with
kwc> an end time of 0xffffffff is returned. This lifetime should
kwc> be limited by the life of the TGT and the service's lifetime.

Are you mixing krb4 implementations? The version of
krb_life_to_time() that is in krb5-1.3.1 does not return 0xffffffff
for a requested lifetime of 0xff.

---Tom
From: "Kevin Coffman" <kwc@citi.umich.edu>
To: <rt-comment@krbdev.mit.edu>
Cc: <krb5-prs@mit.edu>
Subject: RE: [krbdev.mit.edu #2058] Problems with ticket lifetimes in K4
Date: Wed, 10 Dec 2003 22:46:17 -0500
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.9KiB
Show quoted text
> -----Original Message-----
> From: 0000-Admin [mailto:daemon@MIT.EDU] On Behalf Of Tom Yu via RT
> Sent: Wednesday, December 10, 2003 9:46 PM
> To: kwc@citi.umich.edu
> Cc: krb5-prs@mit.edu
> Subject: Re: [krbdev.mit.edu #2058] Problems with ticket
> lifetimes in K4
>
>
> >>>>> "kwc" == kwc@citi umich edu via RT
> <rt-comment@krbdev.mit.edu> writes:
>
> kwc> 1) We have many Windows AFS clients which use the default
> kwc> authentication code found there. This code, unlike all the
> kwc> other AFS authentication code, uses K4 UDP instead of rx.
> kwc> The AFS K4 code checks the issue time of the ticket it gets
> kwc> back and compares it to its local time. If those times are
> kwc> more than " clock skew" off, it fails with a clock skew error.
> kwc> The adjustment of the the issue time (kerb_time.tv_sec) causes
> kwc> the Windows AFS client to fail with a clock skew error.
>
> The backwards adjustment of issue time is meant to expire the krb4
> ticket at the same time as an equivalent krb4 ticket would expire. I
> suppose we could round the lifetime down if necessary, though that
> would cause tickets to expire much sooner than expected if you're in
> the exponential lifetime region.


Our old mod rounded up, but I don't see a problem if you round down.


Show quoted text
> kwc> 2) The krb_life_to_time() routine returns 0xffffffff when the
> kwc> requested lifetime is "unlimited" (0xff in the request). So
> kwc> v4endtime becomes 0xffffffff. When this is used in the min()
> kwc> functions, -1 is found to be the minimum. Thus a ticket with
> kwc> an end time of 0xffffffff is returned. This lifetime should
> kwc> be limited by the life of the TGT and the service's lifetime.
>
> Are you mixing krb4 implementations? The version of
> krb_life_to_time() that is in krb5-1.3.1 does not return 0xffffffff
> for a requested lifetime of 0xff.

Yes, you're right. My apologies. I must have messed up the CVS merge.
Somehow the routines from our old local mods were overriding the new
routines in lib/krb4/lifetime.c
To: rt@krbdev.mit.edu
Subject: [krbdev.mit.edu #2058] V4 lifetime
Date: Mon, 5 Jan 2004 16:41:46 -0500 (EST)
From: hartmans@mit.edu (Sam Hartman)
RT-Send-Cc:


It's my understanding that the only problem here with the MIT codebase
is that backdating the request too far will cause the client library
clockskew check to fail. The other problem seems to be specific to
the Umich patches.
From: hartmans@mit.edu
Subject: CVS Commit
Only backdate the ticket that is created. The KDC reply must contain
the time from the client's request or the client will fail its
clockskew check if the request is backdated too far.


To generate a diff of this commit:



cvs diff -r5.266 -r5.267 krb5/src/kdc/ChangeLog
cvs diff -r5.88 -r5.89 krb5/src/kdc/kerberos_v4.c
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #2058] V4 lifetime
Date: Mon, 05 Jan 2004 17:07:57 -0500
From: Kevin Coffman <kwc@citi.umich.edu>
RT-Send-Cc:
Show quoted text
> It's my understanding that the only problem here with the MIT codebase
> is that backdating the request too far will cause the client library
> clockskew check to fail. The other problem seems to be specific to
> the Umich patches.

That's correct. Thanks!

K.C.
From: tlyu@mit.edu
Subject: CVS Commit
pullup from trunk


To generate a diff of this commit:



cvs diff -r5.251.2.12 -r5.251.2.13 krb5/src/kdc/ChangeLog
cvs diff -r5.87.2.1 -r5.87.2.2 krb5/src/kdc/kerberos_v4.c