Skip Menu |
 

Download (untitled) / with headers
text/plain 10.7KiB
From krb5-bugs-incoming-bounces@PCH.mit.edu Wed Nov 17 09:09:48 2010
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id D5E193E618;
Wed, 17 Nov 2010 09:09:47 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id oAHE9lxc027722;
Wed, 17 Nov 2010 09:09:47 -0500
Received: from mailhub-dmz-1.mit.edu (MAILHUB-DMZ-1.MIT.EDU [18.9.21.41])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id oAHBaV26032567
for <krb5-bugs-incoming@PCH.mit.edu>; Wed, 17 Nov 2010 06:36:31 -0500
Received: from dmz-mailsec-scanner-7.mit.edu (DMZ-MAILSEC-SCANNER-7.MIT.EDU
[18.7.68.36])
by mailhub-dmz-1.mit.edu (8.13.8/8.9.2) with ESMTP id oAHBaKMl008029
for <krb5-bugs@mit.edu>; Wed, 17 Nov 2010 06:36:30 -0500
X-AuditID: 12074424-b7b0bae000000a05-a6-4ce3be3ea0d9
Received: from piquet.bath.ac.uk ( [138.38.0.36])
by dmz-mailsec-scanner-7.mit.edu (Symantec Brightmail Gateway) with
SMTP id 6A.43.02565.E3EB3EC4; Wed, 17 Nov 2010 06:36:30 -0500 (EST)
Received: from bahamontes.bath.ac.uk ([138.38.56.200])
by piquet.bath.ac.uk with esmtps (TLSv1:DHE-RSA-AES256-SHA:256)
(Exim 4) (envelope-from <ccsdhd@bahamontes.bath.ac.uk>)
id 1PIgJR-0005Ty-8D; Wed, 17 Nov 2010 11:36:29 +0000
Received: from ccsdhd by bahamontes.bath.ac.uk with local
(envelope-from <ccsdhd@bahamontes.bath.ac.uk>)
id 1PIgJQ-0004ix-Fp; Wed, 17 Nov 2010 11:36:28 +0000
Date: Wed, 17 Nov 2010 11:36:28 +0000
Message-Id: <E1PIgJQ-0004ix-Fp@bahamontes.bath.ac.uk>
To: krb5-bugs@mit.edu
Subject: krb5-admin : possible bug ?
From: Dennis Davis <D.H.Davis@bath.ac.uk>
X-send-pr-version: 3.99
X-Scanner: f5fc8eb8bae91379a9a301d816b7e170ccac546c
X-Brightmail-Tracker: AAAAAA==
X-Mailman-Approved-At: Wed, 17 Nov 2010 09:09:43 -0500
Cc: Dennis Davis <d.h.davis@bath.ac.uk>
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: Dennis Davis <D.H.Davis@bath.ac.uk>
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu


Show quoted text
>Submitter-Id: net
>Originator: Dennis Davis
>Organization: BUCS, University of Bath, Bath, BA2 7AY, UK
>Confidential: no
>Synopsis: The +preauth default in kdc.conf isn't always obeyed.
>Severity: non-critical
>Priority: low
>Category: krb5-admin
>Class: sw-bug
>Release: 1.8.3
>Environment:

System: OpenBSD bahamontes.bath.ac.uk 4.8 GENERIC.MP#359 i386


Show quoted text
>Description:
I'm running an experimental krb5-1.8.3 server and I've noticed that
I get different (and erroneous?) behaviour from krb5-1.7.1 and
krb5-1.6.3 kadmin clients. All of this is on various releases of
the OpenBSD operating system, although that shouldn't be relevant.

kdc.conf on my server looks like:


[kdcdefaults]
kdc_ports = 88

[realms]
BATH.AC.UK = {
database_name = /kerberosV/var/krb5kdc/principal
admin_keytab = /kerberosV/var/krb5kdc/kadm5.keytab
acl_file = /kerberosV/var/krb5kdc/kadm5.acl
dict_file = /kerberosV/var/krb5kdc/kadm5.dict
key_stash_file = /kerberosV/var/krb5kdc/.k5.BATH.AC.UK
kadmind_port = 749
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des-cbc-crc
supported_enctypes = aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal des-cbc-crc:normal des-cbc-crc:v4
default_principal_flags = +postdateable,+forwardable,+tgt-based,+renewable,+proxiable,+dup-skey,+allow-tickets,+service,+preauth
}


This should be fairly standard, with the exception of the "+preauth"
flag being added to "default_principal_flags" as an addition to the
default flags.

If I create principals using a krb5-1.6.3 or krb5-1.7.1 kadmin
client *and* specify the -randkey argument, the principal is created
without the +preauth flag being set. The +preauth is set only when
I use a krb5-1.8.3 kadmin client with -randkey.

This is demonstrated in the following terminal session:


Script started on Tue Nov 16 16:15:19 2010
ancho.bath.ac.uk ?// krb5-config --all
Version: Kerberos 5 release 1.6.3
Vendor: Massachusetts Institute of Technology
Prefix: /kerberosV
Exec_prefix: /kerberosV
ancho.bath.ac.uk ?// kadmin
Authenticating as principal ccsdhd/admin@BATH.AC.UK with password.
Password for ccsdhd/admin@BATH.AC.UK:
kadmin: addprinc bungle1
WARNING: no policy specified for bungle1@BATH.AC.UK; defaulting to no policy
Enter password for principal "bungle1@BATH.AC.UK":
Re-enter password for principal "bungle1@BATH.AC.UK":
Principal "bungle1@BATH.AC.UK" created.
kadmin: getprinc bungle1
Principal: bungle1@BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:16:19 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:16:19 GMT 2010 (ccsdhd/admin@BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: addprinc -randkey bungle2
WARNING: no policy specified for bungle2@BATH.AC.UK; defaulting to no policy
Principal "bungle2@BATH.AC.UK" created.
kadmin: getprinc bungle2
Principal: bungle2@BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:16:56 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:16:56 GMT 2010 (ccsdhd/admin@BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, ArcFour with HMAC/md5, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin: quit
ancho.bath.ac.uk ?// krb5-config --all
Version: Kerberos 5 release 1.7.1
Vendor: Massachusetts Institute of Technology
Prefix: /kerberosV
Exec_prefix: /kerberosV
ancho.bath.ac.uk ?// kadmin
Authenticating as principal ccsdhd/admin@BATH.AC.UK with password.
Password for ccsdhd/admin@BATH.AC.UK:
kadmin: addprinc bungle3
WARNING: no policy specified for bungle3@BATH.AC.UK; defaulting to no policy
Enter password for principal "bungle3@BATH.AC.UK":
Re-enter password for principal "bungle3@BATH.AC.UK":
Principal "bungle3@BATH.AC.UK" created.
kadmin: getprinc bungle3
Principal: bungle3@BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:17:44 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:17:45 GMT 2010 (ccsdhd/admin@BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: addprinc -randkey bungle4
WARNING: no policy specified for bungle4@BATH.AC.UK; defaulting to no policy
Principal "bungle4@BATH.AC.UK" created.
kadmin: getprinc bungle4
Principal: bungle4@BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:18:21 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:18:21 GMT 2010 (ccsdhd/admin@BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 2, ArcFour with HMAC/md5, no salt
Key: vno 2, DES cbc mode with CRC-32, no salt
MKey: vno 1
Attributes:
Policy: [none]
kadmin: quit
ancho.bath.ac.uk ?// krb5-config --all
Version: Kerberos 5 release 1.8.3
Vendor: Massachusetts Institute of Technology
Prefix: /kerberosV
Exec_prefix: /kerberosV
ancho.bath.ac.uk ?// kadmin
Authenticating as principal ccsdhd/admin@BATH.AC.UK with password.
Password for ccsdhd/admin@BATH.AC.UK:
kadmin: addprinc bungle5
WARNING: no policy specified for bungle5@BATH.AC.UK; defaulting to no policy
Enter password for principal "bungle5@BATH.AC.UK":
Re-enter password for principal "bungle5@BATH.AC.UK":
Principal "bungle5@BATH.AC.UK" created.
kadmin: getprinc bungle5
Principal: bungle5@BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:19:12 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:19:12 GMT 2010 (ccsdhd/admin@BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 6
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: addprinc -randkey bungle6
WARNING: no policy specified for bungle6@BATH.AC.UK; defaulting to no policy
Principal "bungle6@BATH.AC.UK" created.
kadmin: getprinc bungle6
Principal: bungle6@BATH.AC.UK
Expiration date: [never]
Last password change: Tue Nov 16 16:19:36 GMT 2010
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Nov 16 16:19:36 GMT 2010 (ccsdhd/admin@BATH.AC.UK)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 5
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
MKey: vno 1
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
kadmin: quit
ancho.bath.ac.uk ?// exit

Script done on Tue Nov 16 16:19:50 2010

Show quoted text
>How-To-Repeat:
See above.
Show quoted text
>Fix:
Not known.
Prior to 1.8, addprinc -randkey was implemented in three RPCs: create the
principal with a dummy password and the disallow-all-tix flag, randomize
its password, unset the disallow-all-tix flag. This had the unfortunate
side effect of ignoring the KDC's default flags.

There is now a better way (create the principal with a null password),
but clients and servers both have to be at 1.8 for it to work.
Date: Wed, 17 Nov 2010 16:00:05 +0000 (GMT)
From: Dennis Davis <D.H.Davis@bath.ac.uk>
To: Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #6821] The +preauth default in kdc.conf isn't always obeyed.
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB
On Wed, 17 Nov 2010, Greg Hudson via RT wrote:

Show quoted text
> From: Greg Hudson via RT <rt-comment@krbdev.mit.edu>
> To: D.H.Davis@bath.ac.uk
> Date: Wed, 17 Nov 2010 15:33:13
> Subject: [krbdev.mit.edu #6821] The +preauth default in kdc.conf isn't always
> obeyed.
>
> Prior to 1.8, addprinc -randkey was implemented in three
> RPCs: create the principal with a dummy password and the
> disallow-all-tix flag, randomize its password, unset the
> disallow-all-tix flag. This had the unfortunate side effect of
> ignoring the KDC's default flags.
>
> There is now a better way (create the principal with a null
> password), but clients and servers both have to be at 1.8 for it
> to work.

Thanks for the very prompt reply.

I wondered if something like this was happening when I noticed
-randkey with 1.6.3 and 1.7.1 kadmin produced principals with a Key
vno of 2, whereas -randkey with a 1.8.x kadmin produced principals
with a Key vno of 1.

I note you're using RT so please flag this ticket as closed, if
you haven't done so already. It would be unreasonable to expect
the improved interface to be back-ported to earlier versions of
kerberos.

(This arose because I've recently switched to using the +preauth
default for all principals associated with humanoids. Easily
done by making it the default in kdc.conf. Typically I, and I
suspect others, use -randkey when generating host and service based
principals. So I was expecting to have to turn off preauth on such
principals as I'm not quite ready to go there yet. I was puzzled
when I didn't have to turn off +preauth with a production KDC
running 1.6.3. It had already been done for me!)
--
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
D.H.Davis@bath.ac.uk Phone: +44 1225 386101