Skip Menu |

From: Sam Hartman <>
Date: Sat, 31 Jul 2004 11:36:32 -0400
Subject: [Russ Allbery] Bug#262192: libkrb53: krb_get_pw_in_tkt problems with AFS keys
Download (untitled)
message/rfc822 8.8KiB
Return-Path: <>
Received: from solipsist-nation ([unix socket])
by solipsist-nation (Cyrus v2.1.5-Debian2.1.5-1) with LMTP;
Thu, 29 Jul 2004 22:25:38 -0400
X-Sieve: CMU Sieve 2.2
Return-Path: <>
by (Postfix) with ESMTP id CA30913230
for <>; Thu, 29 Jul 2004 22:25:37 -0400 (EDT)
Received: from ( [])
by (8.12.4/8.9.2) with ESMTP id
for <>; Thu, 29 Jul 2004 22:25:31 -0400 (EDT)
Received: from debbugs by with local (Exim 3.35 1 (Debian))
id 1BqMyC-0006wG-00; Thu, 29 Jul 2004 19:18:04 -0700
Subject: Bug#262192: libkrb53: krb_get_pw_in_tkt problems with AFS keys
Reply-To: Russ Allbery <>,
Resent-From: Russ Allbery <>
Resent-Cc: Russ Allbery <>,
Sam Hartman <>
Resent-Date: Fri, 30 Jul 2004 02:18:03 UTC
Resent-Message-ID: <>
X-Debian-PR-Message: report 262192
X-Debian-PR-Package: libkrb53
Received: via spool by id=B.109115357625163
(code B ref -1); Fri, 30 Jul 2004 02:18:03 UTC
Received: (at submit) by; 30 Jul 2004 02:12:56 +0000
Received: from []
by with esmtp (Exim 3.35 1 (Debian))
id 1BqMtD-0006Xg-00; Thu, 29 Jul 2004 19:12:55 -0700
Received: from (windlord.Stanford.EDU [])
by smtp3.Stanford.EDU (8.12.11/8.12.11) with SMTP id i6U2CsrR012148
for <>; Thu, 29 Jul 2004 19:12:55 -0700
Received: (qmail 3380 invoked by uid 1000); 30 Jul 2004 02:12:54 -0000
Date: 30 Jul 2004 02:12:54 -0000
Message-ID: <>
From: Russ Allbery <>
To: Debian Bug Tracking System <>
Resent-Sender: Debian BTS <>
X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on
X-Spam-Status: No, hits=-4.9 required=5.0 tests=BAYES_00 autolearn=ham
MIME-Version: 1.0

Package: libkrb53
Version: 1.3.3-2
Severity: normal

Hi Sam,

I ran into this bug while trying to get one of our local K4 programs
working with the current Debian Kerberos libraries.

krb_get_pw_in_tkt, the function called to obtain a Kerberos v4 ticket via
a password, calls in turn each of the available _passwd_to_key functions
(mit, afs, and krb5). Ignoring krb5, which can't handle the case that no
password is supplied, each of those functions will call the appropriate
_read_password function if no password is given.

However, in the case that no password is given, afs_passwd_to_key calls
des_read_password. This doesn't actually use the AFS string to key
function, since des_read_password always calls des_string_to_key on the
result. That means that password authentication via krb_get_pw_in_tkt
always fails against a realm that uses the AFS string to key function.

That's the first problem. The second problem is that each of the
_passwd_to_key functions prompt independently. This means that even if
one fixes the above problem, krb_get_pw_in_tkt will prompt for a password
twice, and from the perspective of the user of an AFS-keyed realm, the
first prompt will always fail and only the second one will work. It
should really prompt only once and then use the resulting password with
each different string to key function (which would also remove the odd
behavior of krb_get_pw_in_tkt prompting again on an incorrect password).

I am attaching below patches for both of these problems. These patches
are independent, in the sense that neither requires the other to be
applied to be effective. Applying the patch for the second problem will
work around the first problem, but regardless I think that the current
afs_passwd_to_key function is obviously broken.

These are obviously not Debian-specific bugs. If you'd like me to report
these as upstream bugs, I'd be happy to do that. I've checked, and
neither of these bugs are fixed in 1.3.4.

Here is the patch for afs_passwd_to_key. Note that it introduces a new
function afs_read_password parallel to des_read_password, which I know is
less than ideal, but it seemed like the cleanest fix.

diff -ru krb5-1.3.3/src/include/kerberosIV/des.h krb5-1.3.3-new/src/include/kerberosIV/des.h
--- krb5-1.3.3/src/include/kerberosIV/des.h 2003-03-06 11:52:33.000000000 -0800
+++ krb5-1.3.3-new/src/include/kerberosIV/des.h 2004-07-29 16:56:08.000000000 -0700
@@ -183,6 +183,7 @@

/* XXX ABI change: used to return krb5_error_code */
int KRB5_CALLCONV des_read_password(des_cblock *, char *, int);
+int KRB5_CALLCONV afs_read_password(des_cblock *, char *, int, char *);
int KRB5_CALLCONV des_ecb_encrypt(des_cblock *, des_cblock *,
const des_key_schedule, int);
/* XXX kfm/cns have signed long length */
diff -ru krb5-1.3.3/src/lib/des425/read_passwd.c krb5-1.3.3-new/src/lib/des425/read_passwd.c
--- krb5-1.3.3/src/lib/des425/read_passwd.c 2003-03-06 12:16:15.000000000 -0800
+++ krb5-1.3.3-new/src/lib/des425/read_passwd.c 2004-07-29 16:55:53.000000000 -0700
@@ -102,6 +102,24 @@
return ok;

+ mit_des_cblock *k;
+ char *prompt;
+ int verify;
+ char *cell;
+ int ok;
+ char key_string[BUFSIZ];
+ ok = des_read_pw_string(key_string, sizeof(key_string), prompt, verify);
+ if (ok == 0)
+ afs_string_to_key(key_string, cell, *k);
+ memset(key_string, 0, sizeof (key_string));
+ return ok;
/* Note: this function is exported on KfM. Do not change its ABI. */
des_read_pw_string(s, max, prompt, verify)
diff -ru krb5-1.3.3/src/lib/krb4/password_to_key.c krb5-1.3.3-new/src/lib/krb4/password_to_key.c
--- krb5-1.3.3/src/lib/krb4/password_to_key.c 2003-06-04 17:24:29.000000000 -0700
+++ krb5-1.3.3-new/src/lib/krb4/password_to_key.c 2004-07-29 16:55:11.000000000 -0700
@@ -143,7 +143,7 @@
afs_string_to_key(passwd, realm, key);
} else {
#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY))
- des_read_password((des_cblock *)key, "Password", 0);
+ afs_read_password((des_cblock *)key, "Password", 0, realm);
return (-1);

And here is the patch to krb_get_pw_in_tkt to obtain the password first
and then call the various string to key functions on the password string.
It relies on being able to call des_read_pw_string from inside the libkrb4
library, but that appears to be safe at least at the moment. (If the
upstream uses the exports files on Unix in 1.3.4 or later, this may have
to be tweaked to export this function -- I notice that it isn't prototyped
in des.h.)

--- krb5-1.3.3/src/lib/krb4/g_in_tkt.c.orig 2003-06-04 16:21:51.000000000 -0700
+++ krb5-1.3.3/src/lib/krb4/g_in_tkt.c 2004-07-29 18:43:50.000000000 -0700
@@ -406,6 +406,8 @@
KRB_UINT32 *laddrp;
+ int ok;
+ char key_string[BUFSIZ];
KTEXT_ST cip_st;
KTEXT cip = &cip_st; /* Returned Ciphertext */
int kerror;
@@ -420,6 +422,23 @@
cip, &byteorder, &local_addr);
if (kerror)
return kerror;
+ /* If arg is null, we have to prompt for the password. decrypt_tkt, by
+ way of the *_passwd_to_key functions, will prompt if the password is
+ NULL, but that means that each separate encryption type will prompt
+ separately. Obtain the password first so that we can try multiple
+ encryption types without re-prompting.
+ Don't, however, prompt on a Windows or Macintosh environment, since
+ that's harder. Rely on our caller to do it. */
+#if !(defined(_WIN32) || defined(USE_LOGIN_LIBRARY))
+ if (arg == NULL) {
+ ok = des_read_pw_string(key_string, sizeof(key_string), "Password", 0);
+ if (ok != 0)
+ return ok;
+ arg = key_string;
+ }

/* Attempt to decrypt the reply. Loop trying password_to_key algorithms
until we succeed or we get an error other than "bad password" */
@@ -443,6 +462,7 @@

/* stomp stomp stomp */
+ memset(key_string, 0, sizeof(key_string));
memset(cip->dat, 0, (size_t)cip->length);
return kerror;

-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.26
Locale: LANG=C, LC_CTYPE=C (ignored: LC_ALL set to C)

Versions of packages libkrb53 depends on:
ii libc6 2.3.2.ds1-13 GNU C Library: Shared libraries an
ii libcomerr2 1.35-6 The Common Error Description libra

-- no debconf information
From: Russ Allbery <>
Subject: CVS Commit
When NULL is passed into krb_get_in_pw_tkt, we only want to prompt once
for the password rather than passing NULL along to each string to key
function causing each to prompt independently. Modify krb_get_in_pw_tkt
to call des_read_pw_string directly and then pass the resulting password
into each string to key function as needed. Add a prototype of
des_read_pw_string to krb4int.h since it's an exported function of
libdes425 but isn't prototyped in des.h.

Commit By: rra

Revision: 18129
Changed Files:
U trunk/src/lib/krb4/g_in_tkt.c
U trunk/src/lib/krb4/krb4int.h