Skip Menu |
 

Subject: Confusing error message for key version mismatch
Download (untitled) / with headers
text/plain 1.1KiB
If a client makes an AP request to a server with a stale cached ticket
(one the server does not have a keytab entry for), the error code from
krb5_rd_req in krb5 1.2 through 1.6 will be KRB5_KT_KVNONOTFOUND, per
issue #198. This makes the situation pretty clear if the administrator
is able to see the error message.

In krb5 1.7, the error will be KRB5_KRB5KRB_AP_WRONG_PRINC, which fails
to distinguish stale ticket issues from DNS canonicalization issues.
This is true whether or not krb5_rd_req is given a server parameter,
because of the error-mapping switch statement at the end of
decrypt_ticket(). The acceptor names work in 1.10 did not change this
behavior.

In the cases where we try just one principal in the keytab, fixing this
is as simple as not mapping a KRB5_KT_KVNONOTFOUND error. In the case
where we iterate over the keytab, we will need to detect when the name
matches the request service principal (which of course won't trigger in
alias situations, but those are not the common case) but the kvno
doesn't match the request kvno, and produce a KRB5_KT_KVNONOTFOUND error
at the end of the loop if we saw one of those.
Looking back through the archives, this is actually a conscious change:

http://mailman.mit.edu/pipermail/krbdev/2008-December/007154.html

Sam's reasoning was that wrong-key-version errors aren't very common,
which I think is not necessarily true.

I think with a little bit of additional code, we can return a clearer
error code in the non-alias case.

Sam also notes that gssrpc__svcauth_gssapi() uses KRB5KRB_AP_WRONG_PRINC
to iterate over service principal names. I think it's fine not to
iterate in the cases where we'd produce a kvno mismatch error code.
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Improve krb5_rd_req decryption failure errors

When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error. Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.

Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages. Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.

https://github.com/krb5/krb5/commit/eba8c4909ec7ba0d7054d5d1b1061319e9970cc7
Author: Greg Hudson <ghudson@mit.edu>
Commit: eba8c4909ec7ba0d7054d5d1b1061319e9970cc7
Branch: master
.gitignore | 1 +
src/include/k5-trace.h | 2 +
src/lib/krb5/krb/rd_req_dec.c | 305 +++++++++++++++++++++++----
src/lib/rpc/svc_auth_gssapi.c | 9 +-
src/lib/rpc/unit-test/rpc_test.0/gsserr.exp | 4 +-
src/tests/Makefile.in | 12 +-
src/tests/gssapi/t_gssapi.py | 10 +-
src/tests/rdreq.c | 116 ++++++++++
src/tests/t_rdreq.py | 126 +++++++++++
9 files changed, 528 insertions(+), 57 deletions(-)