Ticket History #5697: make ccache handle referrals better

# Tue Aug 28 20:10:43 2007 tlyu (Taylor Yu) - Ticket created

To:	krb5-bugs@MIT.EDU
Subject:	make ccache handle referrals better
From:	Tom Yu <tlyu@MIT.EDU>
Date:	Tue, 28 Aug 2007 20:05:47 -0400

Download (untitled) / with headers
text/plain 1.2KiB

In bug reports such as

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=436512

and ticket #5663 it appears that the referrals support causes some
problems in the following cases:

1. pre-existing cred having explicit service realm can't be found in
ccache when looking up a principal name with empty realm from
sname_to_princ

2. pre-existing cred having empty realm or different service realm
from actual encoded ticket can't be found in ccache when looking up
a principal name with the "correct" realm

Both of these can cause excess network traffic as the client attempts
to get another copy of ticket which it already has.

For (1), cause krb5_cc_retrieve_cred to search using the client
principal's realm as the service princpal's realm if a search with an
empty service realm fails.

For (2), cause krb5_cc_store_cred to compare the service principal
(perhaps only the realm) in the cred against the principal in the
actual ticket. If they differ, store using both principal names.

These should be implemented independently of the back ends, i.e. the
krb5_cc_* interfaces will no longer be simple wrappers around a call
through a function pointer. The above solutions will also help in
cases where a ccache is shared between multiple implementations.

# Tue Aug 28 20:28:20 2007 tlyu (Taylor Yu) - Given to tlyu (Taylor Yu)

# Tue Aug 28 20:28:20 2007 tlyu (Taylor Yu) - Component krb5-libs added

# Tue Aug 28 20:28:20 2007 tlyu (Taylor Yu) - Version_reported 1.6.2 added

# Tue Aug 28 20:28:21 2007 tlyu (Taylor Yu) - Target_Version 1.6.3 added

# Tue Aug 28 20:28:21 2007 tlyu (Taylor Yu) - Ticket 5697 RefersTo ticket 5663.

# Wed Aug 29 19:23:39 2007 tlyu (Taylor Yu) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #5697] make ccache handle referrals better
From:	Tom Yu <tlyu@MIT.EDU>
Date:	Wed, 29 Aug 2007 19:23:29 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 567B

From: tlyu@MIT.EDU
Subject: svn rev #19898: trunk/ src/lib/krb5/ccache/
To: cvs-krb5@mit.edu
Date: Wed, 29 Aug 2007 18:59:53 -0400 (EDT)
Reply-To: krbdev@MIT.EDU

Commit By: tlyu
Log Message:
ticket: 5697
tags: pullup

Make ccache handle referrals better by storing both server principal
names if they differ between the creds structure and the encoded
ticket and by looking up the server principal using the client's realm
if not found and server's realm was initially the referral (empty)
realm.

Changed Files:
_U trunk/
U trunk/src/lib/krb5/ccache/ccfns.c

# Wed Aug 29 19:24:26 2007 tlyu (Taylor Yu) - Status changed from 'new' to 'resolved'

# Wed Aug 29 19:24:26 2007 tlyu (Taylor Yu) - Tags pullup added

# Thu Aug 30 20:23:54 2007 raeburn (Ken Raeburn) - Status changed from 'resolved' to 'open'

# Thu Aug 30 20:23:55 2007 raeburn (Ken Raeburn) - Correspondence added

Download (untitled) / with headers
text/plain 48B

This patch seems to cause the t_cc test to fail.

# Fri Aug 31 15:41:57 2007 tlyu (Taylor Yu) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #5697] make ccache handle referrals better
From:	Tom Yu <tlyu@MIT.EDU>
Date:	Fri, 31 Aug 2007 15:41:47 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 169B

Ouch. It looks like t_cc fails because it attempts to use some
human-readable strings instead of valid ASN.1 for the actual encoded
"ticket" when storing a credential.

# Fri Aug 31 16:02:10 2007 jaltman (Jeffrey Altman) - Correspondence added

Date:	Fri, 31 Aug 2007 16:04:09 -0400
From:	Jeffrey Altman <jaltman@mit.edu>
To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #5697] make ccache handle referrals better
RT-Send-Cc:

Download (untitled) / with headers
text/plain 482B

Tom Yu via RT wrote:

Show quoted text

> Ouch. It looks like t_cc fails because it attempts to use some
> human-readable strings instead of valid ASN.1 for the actual encoded
> "ticket" when storing a credential.

Note that kx509 stores X.509 certificates in the cache using krb5_cc and
there is at least one site that is using the ccache to store SSH
private keys.

I don't think that failure to parse a ticket should result in the ticket
not being stored in the ccache under the requested name.

# Fri Aug 31 17:30:06 2007 hartmans (Sam Hartman) - Correspondence added

From:	Sam Hartman <hartmans@mit.edu>
To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #5697] make ccache handle referrals better
Date:	Fri, 31 Aug 2007 17:30:03 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 545B

Show quoted text

>>>>> "Jeffrey" == Jeffrey Altman via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text

Jeffrey> Tom Yu via RT wrote:

Show quoted text

>> Ouch. It looks like t_cc fails because it attempts to use some
>> human-readable strings instead of valid ASN.1 for the actual
>> encoded "ticket" when storing a credential.

Show quoted text

Jeffrey> Note that kx509 stores X.509 certificates in the cache
Jeffrey> using krb5_cc and there is at least one site that is
Jeffrey> using the ccache to store SSH private keys.

It's not clear we support any of these use cases.

# Sat Sep 01 00:48:55 2007 "Jeffrey Altman [Kermit Project]" <jaltman@columbia.edu> - Correspondence added

Date:	Sat, 01 Sep 2007 00:50:51 -0400
From:	Jeffrey Altman <jaltman@columbia.edu>
To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #5697] make ccache handle referrals better
RT-Send-Cc:

Download (untitled) / with headers
text/plain 806B

Sam Hartman via RT wrote:

Show quoted text

>>>>>> "Jeffrey" == Jeffrey Altman via RT <rt-comment@krbdev.mit.edu> writes:

>

> Jeffrey> Tom Yu via RT wrote:

> >> Ouch. It looks like t_cc fails because it attempts to use some
> >> human-readable strings instead of valid ASN.1 for the actual
> >> encoded "ticket" when storing a credential.

>

> Jeffrey> Note that kx509 stores X.509 certificates in the cache
> Jeffrey> using krb5_cc and there is at least one site that is
> Jeffrey> using the ccache to store SSH private keys.

>
> It's not clear we support any of these use cases.

That may be, but if you make this change you are going to break
code systems that people have been running in production for many
years. If there is no reason to break other people's applications,
why do so?

Download smime.p7s
application/x-pkcs7-signature 3.2KiB

Message body not shown because it is not plain text.

# Mon Sep 03 22:10:19 2007 tlyu (Taylor Yu) - Status changed from 'open' to 'resolved'

# Mon Sep 03 22:10:20 2007 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 238B

Bail out if encoded "ticket" doesn't decode correctly. This allows
t_cc test case to pass and allows non-tickets to be stored (for now).

Commit By: tlyu

Revision: 19910
Changed Files:
_U trunk/
U trunk/src/lib/krb5/ccache/ccfns.c

# Wed Sep 05 17:32:20 2007 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 530B

pull up r19898 from trunk

r19898@cathode-dark-space: tlyu | 2007-08-29 18:59:52 -0400
ticket: 5697
tags: pullup

Make ccache handle referrals better by storing both server principal
names if they differ between the creds structure and the encoded
ticket and by looking up the server principal using the client's realm
if not found and server's realm was initially the referral (empty)
realm.

Commit By: tlyu

Revision: 19927
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/ccache/ccfns.c

# Wed Sep 05 17:32:35 2007 tlyu (Taylor Yu) - Version_Fixed 1.6.3 added

# Wed Sep 05 17:32:36 2007 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 372B

pull up r19910 from trunk

r19910@cathode-dark-space: tlyu | 2007-09-03 22:10:13 -0400
ticket: 5697

Bail out if encoded "ticket" doesn't decode correctly. This allows
t_cc test case to pass and allows non-tickets to be stored (for now).

Commit By: tlyu

Revision: 19928
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/ccache/ccfns.c

# Wed Dec 16 18:02:50 2015 tlyu (Taylor Yu) - CustomField pullup deleted