Skip Menu |
 

From jhawk@MIT.EDU Sun Oct 6 21:10:34 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id VAA06263 for <bugs@RT-11.MIT.EDU>; Sun, 6 Oct 1996 21:10:34 -0400
Received: from LOLA-GRANOLA.MIT.EDU by MIT.EDU with SMTP
id AA04465; Sun, 6 Oct 96 21:10:33 EDT
Received: (from jhawk@localhost) by lola-granola.MIT.EDU (8.6.12/8.6.12) id VAA25023; Sun, 6 Oct 1996 21:10:31 -0400
Message-Id: <199610070110.VAA25023@lola-granola.MIT.EDU>
Date: Sun, 6 Oct 1996 21:10:31 -0400
From: John Hawkinson <jhawk@bbnplanet.com>
To: krb5-bugs@MIT.EDU
Subject: telnet Kerberos5 diagnostics are hardly clear, checksum confusion abounds

Show quoted text
>Number: 77
>Category: telnet
>Synopsis: telnet Kerberos5 diagnostics are hardly clear, checksum confusion abounds
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: hartmans
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct e 21:11:01 EDT 1996
>Last-Modified: Fri Nov e 20:54:27 EST 1996
>Originator:
>Organization:
BBN Planet
Show quoted text
>Release: beta-7
>Environment:
System: SunOS all-purpo 4.1.4 4 sun4m
Architecture: sun4

Show quoted text
>Description:

The Beta 7 telnetd is very unclear about the fact that some of the errors
it notices come from the *daemon*, rather than the client.

I spent quite some time trying to debug my client saying
"Kerberos: checksum verification failed: Decrypt integrity check failed".
It turned out the "Kerberos: " part was from the client, but the rest
was from the telnetd.

Telnetd really needs to make it clear these errors come from it and
not from the client. Also, it should syslog them so the administrator
of the daemon's host can detect this condition (which could be concievably
be an attack...).

My patch includes a note explaining where one might want to modify the
code to remove checksum checking (ala klogind -i) if one wanted to
support such ancient telnet clients. Hopefully there won't be enough
demand that comitting such an option is necessary for the mainline MIT
kerberos release... [folks who feel differently and are reading this
bug report should probably pipe up]

Show quoted text
>How-To-Repeat:

Err, spend all day debugging telnet problems with ancient codebases? ;-)

Show quoted text
>Fix:

Here you go.

*** appl/telnet/libtelnet/kerberos5.c 1996/10/07 00:07:45 1.1
--- appl/telnet/libtelnet/kerberos5.c 1996/10/07 01:07:17 1.3
***************
*** 65,70 ****
--- 65,71 ----
#include "com_err.h"
#include <netdb.h>
#include <ctype.h>
+ #include <syslog.h>

#ifdef HAVE_STDLIB_H
#include <stdlib.h>
***************
*** 219,232 ****

if (!UserNameRequested) {
if (auth_debug_mode) {
! printf("Kerberos V5: no user name supplied\r\n");
}
return(0);
}

if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
! printf("Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
--- 220,235 ----

if (!UserNameRequested) {
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos V5: no user name supplied\r\n");
}
return(0);
}

if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
***************
*** 236,242 ****
"host", KRB5_NT_SRV_HST,
&creds.server))) {
if (auth_debug_mode)
! printf("Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
}

--- 239,245 ----
"host", KRB5_NT_SRV_HST,
&creds.server))) {
if (auth_debug_mode)
! printf("telnetd: Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
}

***************
*** 256,262 ****
if ((r = krb5_cc_get_principal(telnet_context, ccache,
&creds.client))) {
if (auth_debug_mode) {
! printf("Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
--- 259,266 ----
if ((r = krb5_cc_get_principal(telnet_context, ccache,
&creds.client))) {
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
***************
*** 267,273 ****
if ((r = krb5_get_credentials(telnet_context, 0,
ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
! printf("Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
--- 271,278 ----
if ((r = krb5_get_credentials(telnet_context, 0,
ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
***************
*** 336,342 ****
krb5_free_creds(telnet_context, new_creds);
if (r) {
if (auth_debug_mode) {
! printf("Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
--- 341,347 ----
krb5_free_creds(telnet_context, new_creds);
if (r) {
if (auth_debug_mode) {
! printf("telnetd: Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
***************
*** 344,359 ****

if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
! printf("Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
! printf("Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
! printf("Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
--- 349,365 ----

if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
! printf("telnetd: Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
! printf(
! "telnetd: Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
! printf("telnetd: Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
***************
*** 452,457 ****
--- 458,472 ----
cksum->checksum_type, cksum,
&type_check, 2, key->contents,
key->length);
+ /*
+ * Note that krb5_verify_checksum() will fail if a pre-
+ * MIT Kerberos Beta 6 client is attempting to connect
+ * to this server (Beta 7 or later). There is not way to
+ * fix this without compromising encryption. It would be
+ * reasonable to add a -i option to telnetd to ignore
+ * checksums (like in klogind). Such an option is not
+ * present at this time.
+ */
if (r) {
(void) strcpy(errbuf,
"checksum verification failed: ");
***************
*** 478,484 ****
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
! printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
--- 493,500 ----
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
***************
*** 522,547 ****
(void) strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf("Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
! printf("Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
! printf("Unknown Kerberos option %d\r\n", data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
return;

errout:
! Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf("%s\r\n", errbuf);
if (auth_context) {
krb5_auth_con_free(telnet_context, auth_context);
auth_context = 0;
--- 538,572 ----
(void) strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf(
! "telnetd: Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
! printf("telnetd: Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
! printf("telnetd: Unknown Kerberos option %d\r\n",
! data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
return;

errout:
! {
! char eerrbuf[128+9];
!
! strcpy(eerrbuf, "telnetd: ");
! strcat(eerrbuf, errbuf);
! Data(ap, KRB_REJECT, eerrbuf, -1);
! }
if (auth_debug_mode)
! printf("telnetd: %s\r\n", errbuf);
! syslog(LOG_ERR, "%s", errbuf);
if (auth_context) {
krb5_auth_con_free(telnet_context, auth_context);
auth_context = 0;
Show quoted text
>Audit-Trail:

From: Sam Hartman <hartmans@MIT.EDU>
To: jhawk@bbnplanet.com
Cc: krb5-bugs@MIT.EDU, krb5-bugs-redist@MIT.EDU
Subject: telnet/77: alternate patch
Date: Thu, 31 Oct 1996 18:33:44 -0500

Your original patch included a few bugs because it attributed
some telnet messages to telnetd.

Index: ChangeLog
===================================================================
RCS file: /mit/krbdev/.cvsroot/src/appl/telnet/libtelnet/ChangeLog,v
retrieving revision 5.51
diff -c -r5.51 ChangeLog
*** ChangeLog 1996/10/14 04:58:14 5.51
--- ChangeLog 1996/10/31 23:30:43
***************
*** 1,3 ****
--- 1,9 ----
+ Thu Oct 31 18:29:08 1996 Sam Hartman <hartmans@mit.edu>
+
+ * kerberos5.c : Clarify what errors come from what programs
+ (telnetd|telnet); patch by John Hawkinson <jhawk@bbnplanet.com>
+ [77]
+
Mon Oct 14 00:21:08 1996 Sam Hartman <hartmans@mit.edu>

* Makefile.in (OBJS): Remove rsaencpwd aned krb4encpwd stuff as
Index: kerberos5.c
===================================================================
RCS file: /mit/krbdev/.cvsroot/src/appl/telnet/libtelnet/kerberos5.c,v
retrieving revision 5.41
diff -c -r5.41 kerberos5.c
*** kerberos5.c 1996/05/09 15:59:11 5.41
--- kerberos5.c 1996/10/31 23:30:44
***************
*** 65,70 ****
--- 65,71 ----
#include "com_err.h"
#include <netdb.h>
#include <ctype.h>
+ #include <syslog.h>

#ifdef HAVE_STDLIB_H
#include <stdlib.h>
***************
*** 219,232 ****

if (!UserNameRequested) {
if (auth_debug_mode) {
! printf("Kerberos V5: no user name supplied\r\n");
}
return(0);
}

if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
! printf("Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
--- 220,235 ----

if (!UserNameRequested) {
if (auth_debug_mode) {
! printf(
! "telnet: Kerberos V5: no user name supplied\r\n");
}
return(0);
}

if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
! printf(
! "telnet: Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
***************
*** 236,242 ****
"host", KRB5_NT_SRV_HST,
&creds.server))) {
if (auth_debug_mode)
! printf("Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
}

--- 239,245 ----
"host", KRB5_NT_SRV_HST,
&creds.server))) {
if (auth_debug_mode)
! printf("telnet: Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
}

***************
*** 256,262 ****
if ((r = krb5_cc_get_principal(telnet_context, ccache,
&creds.client))) {
if (auth_debug_mode) {
! printf("Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
--- 259,266 ----
if ((r = krb5_cc_get_principal(telnet_context, ccache,
&creds.client))) {
if (auth_debug_mode) {
! printf(
! "telnet: Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
***************
*** 267,273 ****
if ((r = krb5_get_credentials(telnet_context, 0,
ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
! printf("Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
--- 271,278 ----
if ((r = krb5_get_credentials(telnet_context, 0,
ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
! printf(
! "telnet: Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
***************
*** 336,342 ****
krb5_free_creds(telnet_context, new_creds);
if (r) {
if (auth_debug_mode) {
! printf("Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
--- 341,347 ----
krb5_free_creds(telnet_context, new_creds);
if (r) {
if (auth_debug_mode) {
! printf("telnet: Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
***************
*** 344,359 ****

if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
! printf("Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
! printf("Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
! printf("Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
--- 349,365 ----

if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
! printf("telnet: Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
! printf(
! "telnet: Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
! printf("telnet: Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
***************
*** 452,457 ****
--- 458,472 ----
cksum->checksum_type, cksum,
&type_check, 2, key->contents,
key->length);
+ /*
+ * Note that krb5_verify_checksum() will fail if a pre-
+ * MIT Kerberos Beta 5 client is attempting to connect
+ * to this server (Beta 6 or later). There is not way to
+ * fix this without compromising encryption. It would be
+ * reasonable to add a -i option to telnetd to ignore
+ * checksums (like in klogind). Such an option is not
+ * present at this time.
+ */
if (r) {
(void) strcpy(errbuf,
"checksum verification failed: ");
***************
*** 478,484 ****
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
! printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
--- 493,500 ----
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
***************
*** 522,547 ****
(void) strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf("Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
! printf("Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
! printf("Unknown Kerberos option %d\r\n", data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
return;

errout:
! Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf("%s\r\n", errbuf);
if (auth_context) {
krb5_auth_con_free(telnet_context, auth_context);
auth_context = 0;
--- 538,572 ----
(void) strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf(
! "telnetd: Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
! printf("telnetd: Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
! printf("telnetd: Unknown Kerberos option %d\r\n",
! data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
return;

errout:
! {
! char eerrbuf[128+9];
!
! strcpy(eerrbuf, "telnetd: ");
! strcat(eerrbuf, errbuf);
! Data(ap, KRB_REJECT, eerrbuf, -1);
! }
if (auth_debug_mode)
! printf("telnetd: %s\r\n", errbuf);
! syslog(LOG_ERR, "%s", errbuf);
if (auth_context) {
krb5_auth_con_free(telnet_context, auth_context);
auth_context = 0;

State-Changed-From-To: open-analyzed
State-Changed-By: hartmans
State-Changed-When: Thu Oct 31 18:40:36 EST 1996
State-Changed-Why:
Testing patch now

State-Changed-From-To: analyzed-closed
State-Changed-By: hartmans
State-Changed-When: Fri Nov 1 20:54:03 1996
State-Changed-Why:

Implemented using my replacement of your patch.


Show quoted text
>Unformatted: