From tlyu@MIT.EDU Fri Dec 12 19:11:54 1997
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA23112 for <bugs@RT-11.MIT.EDU>; Fri, 12 Dec 1997 19:11:36 -0500
Received: from TESLA-COIL.MIT.EDU by MIT.EDU with SMTP
id AA29653; Fri, 12 Dec 97 19:11:36 EST
Received: by tesla-coil.MIT.EDU (SMI-8.6/4.7) id TAA02587; Fri, 12 Dec 1997 19:11:24 -0500
Message-Id: <199712130011.TAA02587@tesla-coil.MIT.EDU>
Date: Fri, 12 Dec 1997 19:11:24 -0500
From: tlyu@MIT.EDU
Reply-To: tlyu@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
X-Send-Pr-Version: 3.99
System: SunOS tesla-coil 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-4
Architecture: sun4
that a key with a krb4 salt doesn't exist for a principal if it also
has another key that is DES_CBC_CRC but of a different salt. This can
cause quite a bit of confusion with initial tickets.
DES_CBC_CRC key but without a krb4 salt.
logic, probably an extra argument in the call chain leading up to it,
in order to discover whether it is servicing an initial ticket request
or not. It is probably safe to issue a service ticket for a principal
having a DES_CBC_CRC key with the wrong salt, as that never needs to
have a key derived from a password. I haven't had time to actually
write up a patch yet but this is to remind myself to do so.
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: tlyu@MIT.EDU
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/514: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
Date: Sun, 14 Dec 1997 22:27:21 -0500
As a note ... some V4 programs know how to deal with AFS-salted keys,
so this code should fall back to encrypting something with a AFS-salted
key if it can't find a V4 one.
--Ken
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA23112 for <bugs@RT-11.MIT.EDU>; Fri, 12 Dec 1997 19:11:36 -0500
Received: from TESLA-COIL.MIT.EDU by MIT.EDU with SMTP
id AA29653; Fri, 12 Dec 97 19:11:36 EST
Received: by tesla-coil.MIT.EDU (SMI-8.6/4.7) id TAA02587; Fri, 12 Dec 1997 19:11:24 -0500
Message-Id: <199712130011.TAA02587@tesla-coil.MIT.EDU>
Date: Fri, 12 Dec 1997 19:11:24 -0500
From: tlyu@MIT.EDU
Reply-To: tlyu@MIT.EDU
To: krb5-bugs@MIT.EDU
Subject: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 514
>Category: krb5-kdc
>Synopsis: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Dec 12 19:12:01 EST 1997
>Last-Modified: Sun Dec 14 22:28:01 EST 1997
>Originator: Tom Yu
>Organization:
mit>Category: krb5-kdc
>Synopsis: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Dec 12 19:12:01 EST 1997
>Last-Modified: Sun Dec 14 22:28:01 EST 1997
>Originator: Tom Yu
>Organization:
Show quoted text
>Release: 1.0-development
>Environment:
>Environment:
System: SunOS tesla-coil 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-4
Architecture: sun4
Show quoted text
>Description:
The KDC, when operating in krb4 compat mode, fails to noticethat a key with a krb4 salt doesn't exist for a principal if it also
has another key that is DES_CBC_CRC but of a different salt. This can
cause quite a bit of confusion with initial tickets.
Show quoted text
>How-To-Repeat:
Attempt to get an initial ticket for a principal that has aDES_CBC_CRC key but without a krb4 salt.
Show quoted text
>Fix:
The code in kerb_get_principal needs to have some additionallogic, probably an extra argument in the call chain leading up to it,
in order to discover whether it is servicing an initial ticket request
or not. It is probably safe to issue a service ticket for a principal
having a DES_CBC_CRC key with the wrong salt, as that never needs to
have a key derived from a password. I haven't had time to actually
write up a patch yet but this is to remind myself to do so.
Show quoted text
>Audit-Trail:
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
To: tlyu@MIT.EDU
Cc: krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/514: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
Date: Sun, 14 Dec 1997 22:27:21 -0500
Show quoted text
> Attempt to get an initial ticket for a principal that has a
>DES_CBC_CRC key but without a krb4 salt.
>DES_CBC_CRC key but without a krb4 salt.
As a note ... some V4 programs know how to deal with AFS-salted keys,
so this code should fall back to encrypting something with a AFS-salted
key if it can't find a V4 one.
--Ken
Show quoted text
>Unformatted: