Skip Menu |

Download (untitled) / with headers
text/plain 5.1KiB
From jhawk@MIT.EDU Sun Oct 6 02:03:57 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id CAA01291 for <bugs@RT-11.MIT.EDU>; Sun, 6 Oct 1996 02:03:56 -0400
Received: from LOLA-GRANOLA.MIT.EDU by MIT.EDU with SMTP
id AB11989; Sun, 6 Oct 96 02:03:56 EDT
Received: (from jhawk@localhost) by lola-granola.MIT.EDU (8.6.12/8.6.12) id CAA23991; Sun, 6 Oct 1996 02:03:54 -0400
Message-Id: <199610060603.CAA23991@lola-granola.MIT.EDU>
Date: Sun, 6 Oct 1996 02:03:54 -0400
From: John Hawkinson <>
To: krb5-bugs@MIT.EDU
Subject: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP

Show quoted text
>Number: 68
>Category: krb5-kdc
>Synopsis: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: tytso
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct e 02:04:01 EDT 1996
>Last-Modified: Thu Nov 07 17:54:54 EST 1996
>Originator: John Hawkinson
BBN Planet
Show quoted text
>Release: 1.0-development
System: NetBSD lola-granola 1.1B NetBSD 1.1B (LOLA) #2: Thu Jul 11 00:13:13 EDT 1996 mycroft@zygorthian-space-raiders:/afs/ i386

Bug is also present in beta-7.
Show quoted text

(This PR is "critical" because it is a protocol bug.)

Attempting to obtain a ticket from the KDC with PA-ENCTIMESTAMP
preauthentication fails. RFC1510 requires this option to either
be implemented or ignored if not implemented. The current kdc
instead rejects it.
Show quoted text
Attempt to obtain tickets from IOS with "kerberos preauthenticate
encrypted-unix-timestamp" set. Watch it fail. The kdc logs:

Oct 6 01:44:03 liam-gw syslog: AS_REQ PREAUTH_FAILED: test@BBNPLANET.NET for krbtgt/BBNPLANET.NET@BBNPLANET.NET, Preauthentication failed

This violates RFC1510 Section 9.1 subsection "Pre-authentication methods",
on [Page 86], which states:

The TGS-REQ method must be supported. The TGS-REQ method is not used
on the initial request. The PA-ENC-TIMESTAMP method must be supported
by clients but whether it is enabled by default may be determined on
a realm by realm basis. If not used in the initial request and the
as an acceptable method, the client should retry the initial request
using the PA-ENC-TIMESTAMP preauthentication method. SERVERS NEED NOT
A REQUEST. [Emphasis mine]

Show quoted text

The right fix is for the kdc to support PA-ENC-TIMESTAMP (it would be
nice for the clients to support it, too). This is not too hard.

The easy (short-term) solution is for the server to ignore the option.
Show quoted text

From: John Hawkinson <>
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Cc: krb5-prs@RT-11.MIT.EDU, krb5-bugs@MIT.EDU
Subject: Re: krb5-kdc/68: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
Date: Mon, 7 Oct 1996 12:02:19 -0400 (EDT)

Show quoted text
> Note that the KDC does in fact support PA-ENC-TIMESTAMP. This may be a
> bug in the KDC not implementing the preauthentication type correctly,
> but we also have to consider the possibility that the IOS screwed up.
> More research is necessary....


It appears I succeeded in confusing KRB5_PADATA_ENC_UNIX_TIME and
KRB5_PADATA_ENC_TIMESTAMP. The former is what was being used here and
is generating the failure, and the latter is what RFC1510 mandates and
what Beta 7 supports.

Someone should downgrade this PR.

Of course, it would be nice if:

1) The kdc would provide more useful information. In addition
to what I noted in my pr (logged to user.?), it also logged something
to auth.?, seemingly cryptically:

Oct 6 02:10:31 liam-gw syslog: Unknown code jI 200 - pa verify failure
Oct 7 11:11:18 liam-gw syslog: Unknown code iX 40 - pa verify failure
Oct 7 11:35:20 liam-gw syslog: Unknown code hl 184 - pa verify failure
Oct 7 11:39:03 liam-gw syslog: Unknown code hl 184 - pa verify failure
Oct 7 11:46:12 liam-gw syslog: Unknown code hl 184 - pa verify failure

2) The maintainer of the Kebreros 5 tcpdump patches would
wake up and get them finished. Feel free to admonish him about
this :-)


ps: What is the canonical address for the list formerly known as
krb5-bugs? Choices appear to be and, neither of which seems awfully
appropriate. I would think should be
renamed to and that should be the address
canonically advertised...

Responsible-Changed-From-To: krb5-unassigned->tytso
Responsible-Changed-By: tytso
Responsible-Changed-When: Mon Nov 4 14:46:29 1996
Responsible-Changed-Why: There is a bug in the bogus error codes logged
by the KDC.

State-Changed-From-To: open-closed
State-Changed-By: tytso
State-Changed-When: Thu Nov 7 17:54:32 1996
State-Changed-Why: Fixed error which caused bogus error codes to be logged

Show quoted text