Skip Menu |
 

Download (untitled) / with headers
text/plain 3.2KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Wed Mar 18 18:26:57 2009
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
X-Original-To: krb5-send-pr-nospam1@krbdev.mit.edu
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D3E3ECCC84;
Wed, 18 Mar 2009 18:26:57 +0000 (UTC)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IIQvMw011599;
Wed, 18 Mar 2009 14:26:57 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
[18.7.21.83])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id n2IG9YeF021478
for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 18 Mar 2009 12:09:34 -0400
Received: from mit.edu (W92-130-BARRACUDA-3.MIT.EDU [18.7.21.224])
by pacific-carrier-annex.mit.edu (8.13.6/8.9.2) with ESMTP id
n2IG9Q2p023353
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:27 -0400 (EDT)
Received: from f04n07.cac.psu.edu (localhost [127.0.0.1])
by mit.edu (Spam Firewall) with ESMTP id 0568715DD970
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:15 -0400 (EDT)
Received: from f04n07.cac.psu.edu (f04s07.cac.psu.edu [128.118.141.35]) by
mit.edu with ESMTP id TKHdns2yIPlCwa86 for <krb5-bugs@mit.edu>;
Wed, 18 Mar 2009 12:09:15 -0400 (EDT)
X-Barracuda-Reputation: Registry
Received: from smallbus.aset.psu.edu (smallbus.aset.psu.edu [128.118.57.250])
by f04n07.cac.psu.edu (8.13.2/8.13.2) with ESMTP id n2IG9Bu3045952
for <krb5-bugs@mit.edu>; Wed, 18 Mar 2009 12:09:12 -0400
Received: (from pgp@localhost)
by smallbus.aset.psu.edu (AIX5.3/8.13.4/8.11.0) id n2IG7gwA017670;
Wed, 18 Mar 2009 12:07:42 -0400
Date: Wed, 18 Mar 2009 12:07:42 -0400
Message-Id: <200903181607.n2IG7gwA017670@smallbus.aset.psu.edu>
To: krb5-bugs@mit.edu
Subject: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
From: pgp@psu.edu
X-send-pr-version: 3.99
X-Spam-Score: 0.55
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 18 Mar 2009 14:26:56 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: pgp@psu.edu
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator: Phil Pishioneri
>Organization: Penn State University, ITS

Show quoted text
>Confidential: no
>Synopsis: KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
>Severity: non-critical
>Priority: medium
>Category: krb5-kdc
>Class: sw-bug
>Release: krb5-current
>Environment:

System: AIX smallbus 3 5 000F48BD4C00


Show quoted text
>Description:
In kdc/kdc_util.c, there are two checks for password (key)
expiration and account expiration. In each case, the code (and
error return) for key expiration is done before the check for
account expiration. However, it seems that account expiration
is more significant than key expiration, and should be checked
for, and returned first.

Show quoted text
>How-To-Repeat:
Create an account, expire both the password and account.
Attempt to "kinit" to the account: KDC_ERR_KEY_EXP ("CLIENT KEY
EXPIRED") will be returned instead of KDC_ERR_NAME_EXP
("CLIENT EXPIRED").

Show quoted text
>Fix:
In the two areas of code (search for "KDC_ERR_NAME_EXP" to find
them), move the check for KDC_ERR_NAME_EXP to be before the
check for KDC_ERR_KEY_EXP. A diff can be provided if that would
help to clarify the change.
Date: Tue, 09 Jun 2009 14:23:19 -0400
From: Phil Pishioneri <pgp@psu.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.3KiB
Not a diff, but here are the two locations in 1.7 where the two |if|
statements need switched around:

Location 1:

941 /* The client's password must not be expired, unless the server is
942 a KRB5_KDC_PWCHANGE_SERVICE. */
943 if (client.pw_expiration && client.pw_expiration < kdc_time &&
944 !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) {
945 *status = "CLIENT KEY EXPIRED";
946 #ifdef KRBCONF_VAGUE_ERRORS
947 return(KRB_ERR_GENERIC);
948 #else
949 return(KDC_ERR_KEY_EXP);
950 #endif
951 }
952
953 /* The client must not be expired */
954 if (client.expiration && client.expiration < kdc_time) {
955 *status = "CLIENT EXPIRED";
956 #ifdef KRBCONF_VAGUE_ERRORS
957 return(KRB_ERR_GENERIC);
958 #else
959 return(KDC_ERR_NAME_EXP);
960 #endif
961 }


Location 2:

1873 /* The client's password must not be expired, unless the server is
1874 a KRB5_KDC_PWCHANGE_SERVICE. */
1875 if (client->pw_expiration && client->pw_expiration < kdc_time) {
1876 *status = "CLIENT KEY EXPIRED";
1877 return KDC_ERR_KEY_EXP;
1878 }
1879
1880 /* The client must not be expired */
1881 if (client->expiration && client->expiration < kdc_time) {
1882 *status = "CLIENT EXPIRED";
1883 return KDC_ERR_NAME_EXP;
1884 }

-Phil
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
From: Tom Yu <tlyu@MIT.EDU>
Date: Wed, 24 Jun 2009 13:45:25 -0400
RT-Send-Cc:
"pgp@psu.edu via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> Not a diff, but here are the two locations in 1.7 where the two |if|
> statements need switched around:

Thanks for the information, and sorry for the delay. Is it correct to
assume that your excerpts are from src/kdc/kdc_util.c?

It's not completely clear why the KDC validation proceeds in the order
it currently does. I will ask around to confirm that there is no good
reason for the existing ordering.
Date: Wed, 24 Jun 2009 14:02:09 -0400
From: Phil Pishioneri <pgp@psu.edu>
To: rt-comment@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6428] KDC prefers returning KDC_ERR_KEY_EXP vs. KDC_ERR_NAME_EXP
RT-Send-Cc:
On 6/24/09 1:45 PM, Tom Yu via RT wrote:
Show quoted text
> Thanks for the information, and sorry for the delay. Is it correct to
> assume that your excerpts are from src/kdc/kdc_util.c?

Correct.

Show quoted text
> It's not completely clear why the KDC validation proceeds in the order
> it currently does. I will ask around to confirm that there is no good
> reason for the existing ordering.

OK. Thanks! -Phil
From: tlyu@mit.edu
Subject: SVN Commit

Check for principal expiration prior to checking for password
expiration. Reported by Phil Pishioneri.

https://github.com/krb5/krb5/commit/36031a837ed7a6716682febf97efbf5eb2a8bc5b
Commit By: tlyu
Revision: 22422
Changed Files:
U trunk/src/kdc/kdc_util.c
From: tlyu@mit.edu
Subject: SVN Commit

Add test case omitted in last commit.

https://github.com/krb5/krb5/commit/3d487f78ceaa334a56b64f0d4393e3c3a4597504
Commit By: tlyu
Revision: 22423
Changed Files:
A trunk/src/tests/dejagnu/krb-standalone/princexpire.exp
From: tlyu@mit.edu
Subject: SVN Commit

pull up r22423, r22422 from trunk

------------------------------------------------------------------------
r22423 | tlyu | 2009-06-25 22:44:41 -0400 (Thu, 25 Jun 2009) | 4 lines

ticket: 6428

Add test case omitted in last commit.
------------------------------------------------------------------------
r22422 | tlyu | 2009-06-25 22:43:21 -0400 (Thu, 25 Jun 2009) | 8 lines

ticket: 6428
version_reported: 1.7
target_version: 1.7.1
tags: pullup

Check for principal expiration prior to checking for password
expiration. Reported by Phil Pishioneri.

https://github.com/krb5/krb5/commit/ba1ae9f6beb87375ebc79276354f374f8b7582aa
Commit By: tlyu
Revision: 22802
Changed Files:
U branches/krb5-1-7/src/kdc/kdc_util.c
A branches/krb5-1-7/src/tests/dejagnu/krb-standalone/princexpire.exp