From chas@cmf.nrl.navy.mil Thu Sep 2 19:09:51 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA11548 for <bugs@RT-11.MIT.EDU>; Thu, 2 Sep 1999 19:09:50 -0400
Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP
id AA16543; Thu, 2 Sep 99 19:09:39 EDT
Received: from borg.cmf.nrl.navy.mil (borg.cmf.nrl.navy.mil [134.207.12.148])
by ginger.cmf.nrl.navy.mil (8.9.3/8.9.3) with ESMTP id TAA27069;
Thu, 2 Sep 1999 19:09:42 -0400 (EDT)
Received: (from chas@localhost)
by borg.cmf.nrl.navy.mil (8.8.5/8.8.5) id QAA06190;
Thu, 2 Sep 1999 16:09:37 -0700 (PDT)
Message-Id: <199909022309.QAA06190@borg.cmf.nrl.navy.mil>
Date: Thu, 2 Sep 1999 16:09:37 -0700 (PDT)
From: Chas Williams <chas@cmf.nrl.navy.mil>
Reply-To: chas@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Cc: kenh@cmf.nrl.navy.mil
Subject: pa_sam() KRB5_SAM_SEND_ENCRYPTED_SAD doesnt work in 1.1 beta
X-Send-Pr-Version: 3.99
following behavior:
% ./kinit chas@WES.HPC.MIL
SAM Authentication
Challenge for Security Dynamics mechanism
SecurID Passcode:
kinit: Bad encryption type while getting initial credentials
%
note that it never actually asked for my password.
the problem seems to be in the following from krb5/krb5/preauth2.c
enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
enc_sam_response_enc.sam_passcode = response_data;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
note that it never asks for my password to use as a key
or even encrypts the preauth response.
KRB5_SAM_SEND_ENCRYPTED_SAD)
if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
/*
* We need to use the password as part or all of the key.
* If as_key contains info, it should be the users pass phrase.
* If not, get the password before issuing the challenge.
*/
if (as_key->length == 0) {
if (ret = ((*gak_fct)(context, request->client,
request->ktype[0], prompter, prompter_data,
salt, as_key, gak_data)))
return(ret);
}
enc_sam_response_enc.sam_passcode = response_data;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
if (sam_challenge->sam_nonce == 0) {
however, this doesnt work anymore since the latest changes
to the crypto library.
Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Tue Feb 22 16:45:58 2000
Responsible-Changed-Why:
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA11548 for <bugs@RT-11.MIT.EDU>; Thu, 2 Sep 1999 19:09:50 -0400
Received: from ginger.cmf.nrl.navy.mil by MIT.EDU with SMTP
id AA16543; Thu, 2 Sep 99 19:09:39 EDT
Received: from borg.cmf.nrl.navy.mil (borg.cmf.nrl.navy.mil [134.207.12.148])
by ginger.cmf.nrl.navy.mil (8.9.3/8.9.3) with ESMTP id TAA27069;
Thu, 2 Sep 1999 19:09:42 -0400 (EDT)
Received: (from chas@localhost)
by borg.cmf.nrl.navy.mil (8.8.5/8.8.5) id QAA06190;
Thu, 2 Sep 1999 16:09:37 -0700 (PDT)
Message-Id: <199909022309.QAA06190@borg.cmf.nrl.navy.mil>
Date: Thu, 2 Sep 1999 16:09:37 -0700 (PDT)
From: Chas Williams <chas@cmf.nrl.navy.mil>
Reply-To: chas@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Cc: kenh@cmf.nrl.navy.mil
Subject: pa_sam() KRB5_SAM_SEND_ENCRYPTED_SAD doesnt work in 1.1 beta
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 747
>Category: krb5-libs
>Synopsis: pa_sam()'s KRB5_SAM_SEND_ENCRYPTED_SAD doesnt ask for password
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 02 19:10:00 EDT 1999
>Last-Modified: Tue Feb 22 16:46:01 EST 2000
>Originator: Chas Williams
>Organization:
hardly any, ask ken>Category: krb5-libs
>Synopsis: pa_sam()'s KRB5_SAM_SEND_ENCRYPTED_SAD doesnt ask for password
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 02 19:10:00 EDT 1999
>Last-Modified: Tue Feb 22 16:46:01 EST 2000
>Originator: Chas Williams
>Organization:
Show quoted text
>Release: 1.1beta
>Environment:
System: IRIX borg 6.5 04151556 IP22>Environment:
Show quoted text
>Description:
when using securid as a h/w preauth method i see thefollowing behavior:
% ./kinit chas@WES.HPC.MIL
SAM Authentication
Challenge for Security Dynamics mechanism
SecurID Passcode:
kinit: Bad encryption type while getting initial credentials
%
note that it never actually asked for my password.
the problem seems to be in the following from krb5/krb5/preauth2.c
enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
enc_sam_response_enc.sam_passcode = response_data;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
note that it never asks for my password to use as a key
or even encrypts the preauth response.
Show quoted text
>How-To-Repeat:
(see above, but you need a h/w preauth method that usesKRB5_SAM_SEND_ENCRYPTED_SAD)
Show quoted text
>Fix:
a previous fix from another site, was to do the following:if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
/*
* We need to use the password as part or all of the key.
* If as_key contains info, it should be the users pass phrase.
* If not, get the password before issuing the challenge.
*/
if (as_key->length == 0) {
if (ret = ((*gak_fct)(context, request->client,
request->ktype[0], prompter, prompter_data,
salt, as_key, gak_data)))
return(ret);
}
enc_sam_response_enc.sam_passcode = response_data;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
if (sam_challenge->sam_nonce == 0) {
however, this doesnt work anymore since the latest changes
to the crypto library.
Show quoted text
>Audit-Trail:
Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Tue Feb 22 16:45:58 2000
Responsible-Changed-Why:
Show quoted text
>Unformatted: