Ticket History #7149: Some important misconfigurations of the PKINIT plugin do not cause useful printout to KRB5

# Tue May 22 22:36:52 2012 The RT System itself - Ticket created

Download (untitled) / with headers
text/plain 3.6KiB

From krb5-bugs-incoming-bounces@PCH.mit.edu Tue May 22 22:36:52 2012
Return-Path: <krb5-bugs-incoming-bounces@PCH.mit.edu>
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90])
by krbdev.mit.edu (Postfix) with ESMTP id 254423DE85;
Tue, 22 May 2012 22:36:52 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q4N2apec026824;
Tue, 22 May 2012 22:36:51 -0400
Received: from mailhub-dmz-2.mit.edu (MAILHUB-DMZ-2.MIT.EDU [18.7.62.37])
by pch.mit.edu (8.13.6/8.12.8) with ESMTP id q4N1CTgm016207
for <krb5-bugs-incoming@PCH.mit.edu>; Tue, 22 May 2012 21:12:29 -0400
Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU
[18.7.68.37])
by mailhub-dmz-2.mit.edu (8.13.8/8.9.2) with ESMTP id q4N1CNmQ018424
for <krb5-bugs@mit.edu>; Tue, 22 May 2012 21:12:29 -0400
X-AuditID: 12074425-b7f966d0000008b6-85-4fbc397cddaf
Authentication-Results: symauth.service.identifier
Received: from sl6hotz.jpl.nasa.gov (wildcard.jpl.nasa.gov [128.149.133.56])
by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP
id 54.78.02230.C793CBF4; Tue, 22 May 2012 21:12:29 -0400 (EDT)
Received: by sl6hotz.jpl.nasa.gov (Postfix, from userid 1989)
id 478A22833F9; Tue, 22 May 2012 18:12:27 -0700 (PDT)
To: krb5-bugs@mit.edu
Subject: Insufficient Information Printed from the PKINIT Plugin
From: hotz@jpl.nasa.gov
X-send-pr-version: 3.99
Message-Id: <20120523011227.478A22833F9@sl6hotz.jpl.nasa.gov>
Date: Tue, 22 May 2012 18:12:27 -0700 (PDT)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrIIsWRWlGSWpSXmKPExsXSMLXVQrfWco+/waNeJouGh8fZHRg9ms4c
ZQ5gjOKySUnNySxLLdK3S+DK2Nnew1hwgqNi30/pBsZJ7F2MnBwSAiYSO14dAbMZBYwkdp97
xQoRF5O4cG89WxcjF4eQwFVGiX1v3jGCJIQESiU271rKBmKLCIhKvPx7jAXEFhZwkLi5+gWY
zSYgLnGi7RsTRL20xOxNu8HqmQVYJP682cACsUBcYsf200CLOTh4BWwl3k1NBQmzCGhLnNrS
yzqBkXcBI8MqRtmU3Crd3MTMnOLUZN3i5MS8vNQiXQu93MwSvdSU0k2MQP8Lsbuo7mCccEjp
EKMAB6MSD2/h+d3+QqyJZcWVuYcYJTmYlER5fc32+AvxJeWnVGYkFmfEF5XmpBYfYpTgYFYS
4V0/HaicNyWxsiq1KB8mJc3BoiTOu04TKCWQnliSmp2aWpBaBJNl4mA/xCjDwaEkwbvcAmiy
YFFqempFWmZOCbIaThDBBbKGB2jNFpBC3uKCxNzizHSIolOMilLivLtAEgIgiYzSPLgBoJit
/////yVGWSlhXkYGBgYhHqALgB5HyINi/hWjONDTwryHQKbwZOaVwE1/BbSYCWhx0IudIItL
EhFSUg2MCgWNob9lVUsW35PPiXZ4cDNggfi6FbbyD98W9XQI/PzH33m5K5hjZ2H6YskpMa9W
3ZFyYG5bPT3cVZClnaVd6U2BqqDtj5yNvwty/CaejOeqeMz+0r799U2u3C8HeNbsX3n34K1P
rKseWTZPvfHG7QWbYLXE0UC1T2fSzZcosC2LXMVj7KanxFKckWioxVxUnAgAofmd2NQCAAA=
X-Mailman-Approved-At: Tue, 22 May 2012 22:36:49 -0400
X-BeenThere: krb5-bugs-incoming@mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: hotz@jpl.nasa.gov
Sender: krb5-bugs-incoming-bounces@PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu

Show quoted text

>Submitter-Id: net
>Originator: Henry B. Hotz
>Organization:

Jet Propulsion Laboratory

Show quoted text

>Confidential: no
>Synopsis: Some important misconfigurations of the PKINIT plugin do not cause useful printout to KRB5_TRACE.
>Severity: non-critical
>Priority: medium
>Category: krb5-clients
>Class: support
>Release: 1.9
>Environment:

Intel VM, Scientific Linux 6.2, Scientific Linux 6.2, pkinit plugin
System: Linux sl6hotz.jpl.nasa.gov 2.6.32-220.13.1.el6.x86_64 #1 SMP Tue Apr 17 15:16:22 CDT 2012 x86_64 x86_64 x86_64 GNU/Linux
Architecture: x86_64

Show quoted text

>Description:

Some errors printed by the pkiDebug() routine, such as "no anchors in file" suggest mistakes in the krb5.conf. They should be printed to KRB5_TRACE, since it may be difficult to debug a configuration without them. It would not be excessive, but might not be necessary, to make all pkiDebug() go to KRB5_TRACE.

Show quoted text

>How-To-Repeat:

Varies. For the specific example just given set pkinit_anchors to a .der-formatted file instead of PEM.

Show quoted text

>Fix:

The workaround used was to build with the DEBUG flag. Seems excessive.

# Tue May 22 22:36:52 2012 The RT System itself - Component krb5-clients added

# Wed May 23 00:00:49 2012 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 732B

The situation should be improved significantly in 1.11 by r25854
(committed May 8). In your particular scenario, the bogus "Out of
memory" error in the trace log would have been replaced with an OpenSSL
error, for instance.

There is still some information available through compile-time options
but not present in the trace logs (including basically everything on the
KDC side), so I wouldn't say we're done here. The main obstacle is
representing OpenSSL types in string form without adding a large amount
of code. (Also, I'm not sure I would want to dump Diffie-Hellman
parameters into the trace logs before we have a way to enable super-
verbose trace logging, since they're quite large and there are three of
them.)

Ticket History #7149: Some important misconfigurations of the PKINIT plugin do not cause useful printout to KRB5_TRACE.