Skip Menu |

Download (untitled) / with headers
text/plain 3.3KiB
From Sun Jun 27 15:37:54 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA17541 for <bugs@RT-11.MIT.EDU>; Sun, 27 Jun 1999 15:37:54 -0400
Received: from [] by MIT.EDU with SMTP
id AA06263; Sun, 27 Jun 99 15:37:15 EDT
Received: from ( [])
by (8.9.3/8.9.3) with ESMTP id PAA27510;
Sun, 27 Jun 1999 15:37:17 -0400 (EDT)
Received: (chas@localhost) by (8.6.12/8.6.11) id PAA01189; Sun, 27 Jun 1999 15:37:15 -0400
Message-Id: <>
Date: Sun, 27 Jun 1999 15:37:15 -0400
From: Chas Williams <>
To: krb5-bugs@MIT.EDU
Subject: new kinit and h/w preauth
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 730
>Category: krb5-libs
>Synopsis: h/w preauth seems broken in krb5_get_init_creds_password
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Jun 27 15:38:01 EDT 1999
>Originator: Chas Williams
Naval Research Laboratory, Washington, DC
Show quoted text
>Release: krb5-current-19990626

System: SunOS fermi 5.6 Generic_105181-11 sun4d sparc SUNW,SPARCserver-1000
Architecture: sun4

Show quoted text
attempting to use the new kinit (using the krb5_get_init_creds_password
routine) to get a ticket and my principal has the requires hwauth
flag set, i fail to get a ticket with the error message, 'Bad password'

% ./kinit
CryptoCard RB-1
Press ENTER and compare this challenge to the one on your display
Challenge is [42058226], Enter the displayed response: 86566993

kinit: Password incorrect

note, that it DIDNT actually prompt me for a password. it just
said, bad password. if a give a bad response to the challenge
i get back 'preauth failed' which is correct
Show quoted text

see above.
Show quoted text
apparently, the problems lies in gic_pwd.c (but i am not an
expert on this code, so this is mostly a guess)

near the beginning of krb5_get_as_key_password(), we see:

/* if there's already a key of the correct etype, we're done.
if the etype is wrong, free the existing key, and make
a new one. */

if (as_key->length) {
if (as_key->enctype == etype)
return 0;

krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;

after the hw preauth exchanges, as_key->enctype = etype
but i havent been asked for my password, and since this
routine is the one that does that job, this function shouldnt
return 0 at this point, it should continue (w/o hw preauth
as_key->length = 0 i believe and this code isnt triggered)

i 'fixed' it changing it to:

if (as_key->length) {
if (as_key->enctype != etype) {
krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;

after this change, kinit asks for my password after the preauth
exchange and i am able to get a ticket. this change doesnt seem to
bother principals not using h/w preauth.

on a side note, i dont think it should display my response to
the challenge, i suspect the hidden flag isnt being set.
Show quoted text