Skip Menu |
 

Date: Fri, 17 May 2013 15:29:37 -0400
From: Nalin Dahyabhai <nalin@redhat.com>
To: krb5-bugs@mit.edu
Subject: Transited realm checks sometimes fail for GSSAPI
Download (untitled) / with headers
text/plain 2.2KiB
We've gotten a report of illegal-cross-realm-ticket failures in GSSAPI
acceptor applications after updating from 1.9 to 1.10.3. In the
customer case, they're using sshd, but I can see it happen with
gss-client and gss-server, too, with both 1.10.3 and master.

When kg_accept_krb5() doesn't have a default identity to use, it calls
kg_acceptor_princ() to figure out parts of the acceptor name to be
passed to krb5_rd_req().

The name produced has its realm name field set to "". (Whether that's
supposed to mean KRB5_REFERRAL_REALM or is just the same value by
coincidence, I can't tell.)

When this server name is passed to krb5_rd_req(), and eventually to
rd_req_decoded_opt(), the ticket is successfully decrypted, but if the
ticket's transited field isn't empty, the subsequent call to
krb5_check_transited_list() attempts to compute a path from the client's
realm to a realm named "", and with the set of names in my test setup
(the client is in XXX.REDHAT.COM, the server is in ZZZ.REDHAT.COM, with
YYY.REDHAT.COM being the realm in between), the result is always
KRB5KRB_AP_ERR_ILL_CR_TKT.

Using the server principal, as specified in the ticket, which includes
the correct realm name, causes the test to succeed on my test system.

I'm appending a proposed patch.

Thanks,

Nalin

--- src/lib/krb5/krb/rd_req_dec.c
+++ src/lib/krb5/krb/rd_req_dec.c
@@ -363,11 +363,12 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
/* Hierarchical Cross-Realm */

{
- krb5_data * realm;
+ krb5_data * crealm, *srealm;
krb5_transited * trans;

- realm = &req->ticket->enc_part2->client->realm;
+ crealm = &req->ticket->enc_part2->client->realm;
trans = &(req->ticket->enc_part2->transited);
+ srealm = &req->ticket->server->realm;

/*
* If the transited list is not empty, then check that all realms
@@ -376,7 +377,7 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context,
*/
if (trans->tr_contents.length > 0 && trans->tr_contents.data[0]) {
retval = krb5_check_transited_list(context, &(trans->tr_contents),
- realm, &server->realm);
+ crealm, srealm);
}
}

I've created a regression test for this. The proposed fix works (as does
simply setting server = req->ticket->server unconditionally at line 311),
but I need to discuss an edge case with Tom before pushing it.
Download test.txt
text/plain 861B
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index de778cc..51b5aa1 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -110,6 +110,19 @@ if 'host/-nomatch-' not in output:

realm.stop()

+# Make sure a GSSAPI acceptor can handle cross-realm tickets with a
+# transited field. (Regression test for #7639.)
+r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)),
+ args=[{'realm': 'A.X', 'create_user': True},
+ {'realm': 'X'},
+ {'realm': 'B.X', 'create_host': True}],
+ create_user=False, create_host=False)
+os.rename(r3.keytab, r1.keytab)
+r1.run(['./t_accname', 'p:' + r3.host_princ, 'h:host'])
+r1.stop()
+r2.stop()
+r3.stop()
+
### Test gss_inquire_cred behavior.

realm = K5Realm()
From: ghudson@mit.edu
Subject: git commit

Fix transited handling for GSSAPI acceptors

The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.

To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.

Based on a bug report and patch from nalin@redhat.com.

https://github.com/krb5/krb5/commit/57acee11b5c6682a7f4f036e35d8b2fc9292875e
Author: Greg Hudson <ghudson@mit.edu>
Commit: 57acee11b5c6682a7f4f036e35d8b2fc9292875e
Branch: master
src/lib/krb5/krb/rd_req_dec.c | 8 +++++---
src/tests/gssapi/t_gssapi.py | 13 +++++++++++++
2 files changed, 18 insertions(+), 3 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix transited handling for GSSAPI acceptors

The Acceptor Names project (#6855) extended krb5_rd_req so that it can
accept a "matching principal" in the server parameter. If the
matching principal has an empty realm, rd_req_decoded_opt attempted to
do transited checking with an empty server realm.

To fix this, always reset server to req->ticket->server for future
processing steps if we decrypt the ticket using a keytab.
decrypt_ticket replaces req->ticket->server with the principal name
from the keytab entry, so we know this name is correct.

Based on a bug report and patch from nalin@redhat.com.

(cherry picked from commit 57acee11b5c6682a7f4f036e35d8b2fc9292875e)

https://github.com/krb5/krb5/commit/b4d2d74082d239e3024254ab8ffb55c9dd087ff7
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: b4d2d74082d239e3024254ab8ffb55c9dd087ff7
Branch: krb5-1.11
src/lib/krb5/krb/rd_req_dec.c | 8 +++++---
src/tests/gssapi/t_gssapi.py | 13 +++++++++++++
2 files changed, 18 insertions(+), 3 deletions(-)