From chas@cmf.nrl.navy.mil Sun Jun 27 15:37:54 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA17541 for <bugs@RT-11.MIT.EDU>; Sun, 27 Jun 1999 15:37:54 -0400
Received: from [134.207.10.161] by MIT.EDU with SMTP
id AA06263; Sun, 27 Jun 99 15:37:15 EDT
Received: from fermi.cmf.nrl.navy.mil (fermi.cmf.nrl.navy.mil [134.207.10.73])
by ginger.cmf.nrl.navy.mil (8.9.3/8.9.3) with ESMTP id PAA27510;
Sun, 27 Jun 1999 15:37:17 -0400 (EDT)
Received: (chas@localhost) by fermi.cmf.nrl.navy.mil (8.6.12/8.6.11) id PAA01189; Sun, 27 Jun 1999 15:37:15 -0400
Message-Id: <199906271937.PAA01189@fermi.cmf.nrl.navy.mil>
Date: Sun, 27 Jun 1999 15:37:15 -0400
From: Chas Williams <chas@cmf.nrl.navy.mil>
Reply-To: chas@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Cc: kenh@cmf.nrl.navy.mil
Subject: new kinit and h/w preauth
X-Send-Pr-Version: 3.99
System: SunOS fermi 5.6 Generic_105181-11 sun4d sparc SUNW,SPARCserver-1000
Architecture: sun4
routine) to get a ticket and my principal has the requires hwauth
flag set, i fail to get a ticket with the error message, 'Bad password'
% ./kinit
CryptoCard RB-1
Press ENTER and compare this challenge to the one on your display
Challenge is [42058226], Enter the displayed response: 86566993
kinit: Password incorrect
note, that it DIDNT actually prompt me for a password. it just
said, bad password. if a give a bad response to the challenge
i get back 'preauth failed' which is correct
see above.
expert on this code, so this is mostly a guess)
near the beginning of krb5_get_as_key_password(), we see:
/* if there's already a key of the correct etype, we're done.
if the etype is wrong, free the existing key, and make
a new one. */
if (as_key->length) {
if (as_key->enctype == etype)
return 0;
krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;
}
after the hw preauth exchanges, as_key->enctype = etype
but i havent been asked for my password, and since this
routine is the one that does that job, this function shouldnt
return 0 at this point, it should continue (w/o hw preauth
as_key->length = 0 i believe and this code isnt triggered)
i 'fixed' it changing it to:
if (as_key->length) {
if (as_key->enctype != etype) {
krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;
}
}
after this change, kinit asks for my password after the preauth
exchange and i am able to get a ticket. this change doesnt seem to
bother principals not using h/w preauth.
on a side note, i dont think it should display my response to
the challenge, i suspect the hidden flag isnt being set.
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id PAA17541 for <bugs@RT-11.MIT.EDU>; Sun, 27 Jun 1999 15:37:54 -0400
Received: from [134.207.10.161] by MIT.EDU with SMTP
id AA06263; Sun, 27 Jun 99 15:37:15 EDT
Received: from fermi.cmf.nrl.navy.mil (fermi.cmf.nrl.navy.mil [134.207.10.73])
by ginger.cmf.nrl.navy.mil (8.9.3/8.9.3) with ESMTP id PAA27510;
Sun, 27 Jun 1999 15:37:17 -0400 (EDT)
Received: (chas@localhost) by fermi.cmf.nrl.navy.mil (8.6.12/8.6.11) id PAA01189; Sun, 27 Jun 1999 15:37:15 -0400
Message-Id: <199906271937.PAA01189@fermi.cmf.nrl.navy.mil>
Date: Sun, 27 Jun 1999 15:37:15 -0400
From: Chas Williams <chas@cmf.nrl.navy.mil>
Reply-To: chas@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Cc: kenh@cmf.nrl.navy.mil
Subject: new kinit and h/w preauth
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 730
>Category: krb5-libs
>Synopsis: h/w preauth seems broken in krb5_get_init_creds_password
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Jun 27 15:38:01 EDT 1999
>Last-Modified:
>Originator: Chas Williams
>Organization:
Naval Research Laboratory, Washington, DC>Category: krb5-libs
>Synopsis: h/w preauth seems broken in krb5_get_init_creds_password
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Jun 27 15:38:01 EDT 1999
>Last-Modified:
>Originator: Chas Williams
>Organization:
Show quoted text
>Release: krb5-current-19990626
>Environment:
>Environment:
System: SunOS fermi 5.6 Generic_105181-11 sun4d sparc SUNW,SPARCserver-1000
Architecture: sun4
Show quoted text
>Description:
attempting to use the new kinit (using the krb5_get_init_creds_passwordroutine) to get a ticket and my principal has the requires hwauth
flag set, i fail to get a ticket with the error message, 'Bad password'
% ./kinit
CryptoCard RB-1
Press ENTER and compare this challenge to the one on your display
Challenge is [42058226], Enter the displayed response: 86566993
kinit: Password incorrect
note, that it DIDNT actually prompt me for a password. it just
said, bad password. if a give a bad response to the challenge
i get back 'preauth failed' which is correct
Show quoted text
>How-To-Repeat:
see above.
Show quoted text
>Fix:
apparently, the problems lies in gic_pwd.c (but i am not anexpert on this code, so this is mostly a guess)
near the beginning of krb5_get_as_key_password(), we see:
/* if there's already a key of the correct etype, we're done.
if the etype is wrong, free the existing key, and make
a new one. */
if (as_key->length) {
if (as_key->enctype == etype)
return 0;
krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;
}
after the hw preauth exchanges, as_key->enctype = etype
but i havent been asked for my password, and since this
routine is the one that does that job, this function shouldnt
return 0 at this point, it should continue (w/o hw preauth
as_key->length = 0 i believe and this code isnt triggered)
i 'fixed' it changing it to:
if (as_key->length) {
if (as_key->enctype != etype) {
krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;
}
}
after this change, kinit asks for my password after the preauth
exchange and i am able to get a ticket. this change doesnt seem to
bother principals not using h/w preauth.
on a side note, i dont think it should display my response to
the challenge, i suspect the hidden flag isnt being set.
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: