From jhawk@MIT.EDU Sun Oct 6 02:03:57 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id CAA01291 for <bugs@RT-11.MIT.EDU>; Sun, 6 Oct 1996 02:03:56 -0400
Received: from LOLA-GRANOLA.MIT.EDU by MIT.EDU with SMTP
id AB11989; Sun, 6 Oct 96 02:03:56 EDT
Received: (from jhawk@localhost) by lola-granola.MIT.EDU (8.6.12/8.6.12) id CAA23991; Sun, 6 Oct 1996 02:03:54 -0400
Message-Id: <199610060603.CAA23991@lola-granola.MIT.EDU>
Date: Sun, 6 Oct 1996 02:03:54 -0400
From: John Hawkinson <jhawk@bbnplanet.com>
To: krb5-bugs@MIT.EDU
Subject: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
Bug is also present in beta-7.
(This PR is "critical" because it is a protocol bug.)
Attempting to obtain a ticket from the KDC with PA-ENCTIMESTAMP
preauthentication fails. RFC1510 requires this option to either
be implemented or ignored if not implemented. The current kdc
instead rejects it.
encrypted-unix-timestamp" set. Watch it fail. The kdc logs:
Oct 6 01:44:03 liam-gw syslog: AS_REQ 199.94.220.6(88): PREAUTH_FAILED: test@BBNPLANET.NET for krbtgt/BBNPLANET.NET@BBNPLANET.NET, Preauthentication failed
This violates RFC1510 Section 9.1 subsection "Pre-authentication methods",
on [Page 86], which states:
The TGS-REQ method must be supported. The TGS-REQ method is not used
on the initial request. The PA-ENC-TIMESTAMP method must be supported
by clients but whether it is enabled by default may be determined on
a realm by realm basis. If not used in the initial request and the
error KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENCTIMESTAMP
as an acceptable method, the client should retry the initial request
using the PA-ENC-TIMESTAMP preauthentication method. SERVERS NEED NOT
SUPPORT THE paenc-timestamp METHOD, BUT IF NOT SUPPORTED THE SERVER
SHOULD IGNORE THE PRESENCE OF pa-enc-timestamp PRE-AUTHENTICATION IN
A REQUEST. [Emphasis mine]
The right fix is for the kdc to support PA-ENC-TIMESTAMP (it would be
nice for the clients to support it, too). This is not too hard.
The easy (short-term) solution is for the server to ignore the option.
From: John Hawkinson <jhawk@bbnplanet.com>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-prs@RT-11.MIT.EDU, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/68: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
Date: Mon, 7 Oct 1996 12:02:19 -0400 (EDT)
Sigh.
It appears I succeeded in confusing KRB5_PADATA_ENC_UNIX_TIME and
KRB5_PADATA_ENC_TIMESTAMP. The former is what was being used here and
is generating the failure, and the latter is what RFC1510 mandates and
what Beta 7 supports.
Someone should downgrade this PR.
Of course, it would be nice if:
1) The kdc would provide more useful information. In addition
to what I noted in my pr (logged to user.?), it also logged something
to auth.?, seemingly cryptically:
Oct 6 02:10:31 liam-gw syslog: Unknown code jI 200 - pa verify failure
Oct 7 11:11:18 liam-gw syslog: Unknown code iX 40 - pa verify failure
Oct 7 11:35:20 liam-gw syslog: Unknown code hl 184 - pa verify failure
Oct 7 11:39:03 liam-gw syslog: Unknown code hl 184 - pa verify failure
Oct 7 11:46:12 liam-gw syslog: Unknown code hl 184 - pa verify failure
2) The maintainer of the Kebreros 5 tcpdump patches would
wake up and get them finished. Feel free to admonish him about
this :-)
--jhawk
ps: What is the canonical address for the list formerly known as
krb5-bugs? Choices appear to be krb5-prs@rt-11.mit.edu and
krb5-bugs-redist@mit.edu, neither of which seems awfully
appropriate. I would think krb5-bugs-redist@mit.edu should be
renamed to krb5-prs@mit.edu and that should be the address
canonically advertised...
Responsible-Changed-From-To: krb5-unassigned->tytso
Responsible-Changed-By: tytso
Responsible-Changed-When: Mon Nov 4 14:46:29 1996
Responsible-Changed-Why: There is a bug in the bogus error codes logged
by the KDC.
State-Changed-From-To: open-closed
State-Changed-By: tytso
State-Changed-When: Thu Nov 7 17:54:32 1996
State-Changed-Why: Fixed error which caused bogus error codes to be logged
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id CAA01291 for <bugs@RT-11.MIT.EDU>; Sun, 6 Oct 1996 02:03:56 -0400
Received: from LOLA-GRANOLA.MIT.EDU by MIT.EDU with SMTP
id AB11989; Sun, 6 Oct 96 02:03:56 EDT
Received: (from jhawk@localhost) by lola-granola.MIT.EDU (8.6.12/8.6.12) id CAA23991; Sun, 6 Oct 1996 02:03:54 -0400
Message-Id: <199610060603.CAA23991@lola-granola.MIT.EDU>
Date: Sun, 6 Oct 1996 02:03:54 -0400
From: John Hawkinson <jhawk@bbnplanet.com>
To: krb5-bugs@MIT.EDU
Subject: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
Show quoted text
>Number: 68
>Category: krb5-kdc
>Synopsis: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tytso
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct e 02:04:01 EDT 1996
>Last-Modified: Thu Nov 07 17:54:54 EST 1996
>Originator: John Hawkinson
>Organization:
BBN Planet>Category: krb5-kdc
>Synopsis: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tytso
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct e 02:04:01 EDT 1996
>Last-Modified: Thu Nov 07 17:54:54 EST 1996
>Originator: John Hawkinson
>Organization:
Show quoted text
>Release: 1.0-development
>Environment:
System: NetBSD lola-granola 1.1B NetBSD 1.1B (LOLA) #2: Thu Jul 11 00:13:13 EDT 1996 mycroft@zygorthian-space-raiders:/afs/sipb.mit.edu/project/netbsd/dev/current-source/build/i386_nbsd1/sys/arch/i386/compile/LOLA i386>Environment:
Bug is also present in beta-7.
Show quoted text
>Description:
(This PR is "critical" because it is a protocol bug.)
Attempting to obtain a ticket from the KDC with PA-ENCTIMESTAMP
preauthentication fails. RFC1510 requires this option to either
be implemented or ignored if not implemented. The current kdc
instead rejects it.
Show quoted text
>How-To-Repeat:
Attempt to obtain tickets from IOS with "kerberos preauthenticateencrypted-unix-timestamp" set. Watch it fail. The kdc logs:
Oct 6 01:44:03 liam-gw syslog: AS_REQ 199.94.220.6(88): PREAUTH_FAILED: test@BBNPLANET.NET for krbtgt/BBNPLANET.NET@BBNPLANET.NET, Preauthentication failed
This violates RFC1510 Section 9.1 subsection "Pre-authentication methods",
on [Page 86], which states:
The TGS-REQ method must be supported. The TGS-REQ method is not used
on the initial request. The PA-ENC-TIMESTAMP method must be supported
by clients but whether it is enabled by default may be determined on
a realm by realm basis. If not used in the initial request and the
error KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENCTIMESTAMP
as an acceptable method, the client should retry the initial request
using the PA-ENC-TIMESTAMP preauthentication method. SERVERS NEED NOT
SUPPORT THE paenc-timestamp METHOD, BUT IF NOT SUPPORTED THE SERVER
SHOULD IGNORE THE PRESENCE OF pa-enc-timestamp PRE-AUTHENTICATION IN
A REQUEST. [Emphasis mine]
Show quoted text
>Fix:
The right fix is for the kdc to support PA-ENC-TIMESTAMP (it would be
nice for the clients to support it, too). This is not too hard.
The easy (short-term) solution is for the server to ignore the option.
Show quoted text
>Audit-Trail:
From: John Hawkinson <jhawk@bbnplanet.com>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-prs@RT-11.MIT.EDU, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/68: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
Date: Mon, 7 Oct 1996 12:02:19 -0400 (EDT)
Show quoted text
> Note that the KDC does in fact support PA-ENC-TIMESTAMP. This may be a
> bug in the KDC not implementing the preauthentication type correctly,
> but we also have to consider the possibility that the IOS screwed up.
> More research is necessary....
> bug in the KDC not implementing the preauthentication type correctly,
> but we also have to consider the possibility that the IOS screwed up.
> More research is necessary....
Sigh.
It appears I succeeded in confusing KRB5_PADATA_ENC_UNIX_TIME and
KRB5_PADATA_ENC_TIMESTAMP. The former is what was being used here and
is generating the failure, and the latter is what RFC1510 mandates and
what Beta 7 supports.
Someone should downgrade this PR.
Of course, it would be nice if:
1) The kdc would provide more useful information. In addition
to what I noted in my pr (logged to user.?), it also logged something
to auth.?, seemingly cryptically:
Oct 6 02:10:31 liam-gw syslog: Unknown code jI 200 - pa verify failure
Oct 7 11:11:18 liam-gw syslog: Unknown code iX 40 - pa verify failure
Oct 7 11:35:20 liam-gw syslog: Unknown code hl 184 - pa verify failure
Oct 7 11:39:03 liam-gw syslog: Unknown code hl 184 - pa verify failure
Oct 7 11:46:12 liam-gw syslog: Unknown code hl 184 - pa verify failure
2) The maintainer of the Kebreros 5 tcpdump patches would
wake up and get them finished. Feel free to admonish him about
this :-)
--jhawk
ps: What is the canonical address for the list formerly known as
krb5-bugs? Choices appear to be krb5-prs@rt-11.mit.edu and
krb5-bugs-redist@mit.edu, neither of which seems awfully
appropriate. I would think krb5-bugs-redist@mit.edu should be
renamed to krb5-prs@mit.edu and that should be the address
canonically advertised...
Responsible-Changed-From-To: krb5-unassigned->tytso
Responsible-Changed-By: tytso
Responsible-Changed-When: Mon Nov 4 14:46:29 1996
Responsible-Changed-Why: There is a bug in the bogus error codes logged
by the KDC.
State-Changed-From-To: open-closed
State-Changed-By: tytso
State-Changed-When: Thu Nov 7 17:54:32 1996
State-Changed-Why: Fixed error which caused bogus error codes to be logged
Show quoted text
>Unformatted: