Skip Menu |
 

Download (untitled) / with headers
text/plain 2.5KiB
From tlyu@MIT.EDU Fri Dec 12 19:11:54 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA23112 for <bugs@RT-11.MIT.EDU>; Fri, 12 Dec 1997 19:11:36 -0500
Received: from TESLA-COIL.MIT.EDU by MIT.EDU with SMTP
id AA29653; Fri, 12 Dec 97 19:11:36 EST
Received: by tesla-coil.MIT.EDU (SMI-8.6/4.7) id TAA02587; Fri, 12 Dec 1997 19:11:24 -0500
Message-Id: <199712130011.TAA02587@tesla-coil.MIT.EDU>
Date: Fri, 12 Dec 1997 19:11:24 -0500
From: tlyu@MIT.EDU
Reply-To: tlyu@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 514
>Category: krb5-kdc
>Synopsis: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Dec 12 19:12:01 EST 1997
>Last-Modified: Sun Dec 14 22:28:01 EST 1997
>Originator: Tom Yu
>Organization:
mit
Show quoted text
>Release: 1.0-development
>Environment:

System: SunOS tesla-coil 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-4
Architecture: sun4

Show quoted text
>Description:
The KDC, when operating in krb4 compat mode, fails to notice
that a key with a krb4 salt doesn't exist for a principal if it also
has another key that is DES_CBC_CRC but of a different salt. This can
cause quite a bit of confusion with initial tickets.

Show quoted text
>How-To-Repeat:
Attempt to get an initial ticket for a principal that has a
DES_CBC_CRC key but without a krb4 salt.

Show quoted text
>Fix:
The code in kerb_get_principal needs to have some additional
logic, probably an extra argument in the call chain leading up to it,
in order to discover whether it is servicing an initial ticket request
or not. It is probably safe to issue a service ticket for a principal
having a DES_CBC_CRC key with the wrong salt, as that never needs to
have a key derived from a password. I haven't had time to actually
write up a patch yet but this is to remind myself to do so.
Show quoted text
>Audit-Trail:

From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: tlyu@MIT.EDU
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/514: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
Date: Sun, 14 Dec 1997 22:27:21 -0500

Show quoted text
> Attempt to get an initial ticket for a principal that has a
>DES_CBC_CRC key but without a krb4 salt.

As a note ... some V4 programs know how to deal with AFS-salted keys,
so this code should fall back to encrypting something with a AFS-salted
key if it can't find a V4 one.

--Ken
Show quoted text
>Unformatted:
Irrelevant due to krb4 removal.