Skip Menu |
 

From: "Basch, Richard" <Richard.Basch@gs.com>
To: "krb5-bugs@mit.edu" <krb5-bugs@mit.edu>
Date: Thu, 12 Dec 2013 13:35:01 -0500
Subject: krb5-1.11 & krb5-1.12: incomplete logging
CC: "'basch@alum.mit.edu'" <basch@alum.mit.edu>, "gs-kerberos-eng@internal.email.gs.com" <gs-kerberos-eng@internal.email.gs.com>
Download (untitled) / with headers
text/plain 1.5KiB

If a user attempts to authenticate with an unknown client or to an unknown service, the service name is not depicted in the Kerberos logs.

 

This makes anomaly detection harder to perform as well as impede diagnostics.

 

How to reproduce:

1.       For AS_REQ, simply use kinit with an unknown client name (krbtgt/REALM@REALM will not be logged as the service name).

2.       For TGS_REQ, simply use kvno to query an unknown service name.

 

What should have happened:

It should log the attempt for “client for service”, not “client for <unknown server>”

 

______________________________________________________________________________

Richard Basch

VP, Technology - Critical Infrastructure

30 Hudson St.  24th Floor | Jersey City, NJ 07302
Goldman, Sachs & Co

richard.basch@gs.com  | +1 (917) 343-4071

 

P Save a tree: Please don't print this mail unless necessary.

 

The Goldman Sachs Group, Inc. All rights reserved.

See http://www.gs.com/disclaimer/global_email for important risk disclosures, conflicts of interest and other terms and conditions relating to this e-mail and your reliance on information contained in it.  This message may contain confidential or privileged information.  If you are not the intended recipient, please advise us immediately and delete this message.  See http://www.gs.com/disclaimer/email for further information on confidentiality and the risks of non-secure electronic communication.  If you cannot access these links, please notify us by reply message and we will send the contents to you.

 

Date: Mon, 16 Dec 2013 02:48:56 -0500
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging
To: rt-comment@krbdev.mit.edu, "''AdminCc of krbdev.mit.edu Ticket #7802':'"@mta3.srv.hcvlny.cv.net
CC: 'Richard Basch' <basch@alum.mit.edu>, richard.basch@gs.com
RT-Send-Cc:
Download (untitled) / with headers
text/plain 4.1KiB
I also noticed one other anomaly... For TGS_REQ server princ lookup
failures, it logs twice...
i.e. two messages stating "Server not found in Kerberos database".

(It only occurs with TGS_REQ, not AS_REQ.)

Aside from the double logging (which is misleading), here is a quick patch
which I think fixes the issue.

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 268d4f4..95c3e23 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -555,6 +555,19 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,
}
limit_string(state->cname);

+ if (!state->request->server) {
+ state->status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto errout;
+ }
+ if ((errcode = krb5_unparse_name(kdc_context,
+ state->request->server,
+ &state->sname))) {
+ state->status = "UNPARSING_SERVER";
+ goto errout;
+ }
+ limit_string(state->sname);
+
/*
* We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
* to the backend to return naming information in lieu
@@ -604,18 +617,6 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,

au_state->stage = SRVC_PRINC;

- if (!state->request->server) {
- state->status = "NULL_SERVER";
- errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto errout;
- }
- if ((errcode = krb5_unparse_name(kdc_context,
- state->request->server,
- &state->sname))) {
- state->status = "UNPARSING_SERVER";
- goto errout;
- }
- limit_string(state->sname);
s_flags = 0;
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c12de2b..76dca73 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -237,6 +237,7 @@ process_tgs_req(struct server_handle *handle, krb5_data
*pkt

errcode = search_sprinc(kdc_active_realm, request, s_flags, &server,
&status);
+ sprinc = request->server;
if (errcode != 0)
goto cleanup;
sprinc = server->princ;


Show quoted text
-----Original Message-----
From: krb5-bugs-bounces@MIT.EDU [mailto:krb5-bugs-bounces@MIT.EDU] On Behalf
Of Richard Basch via RT
Sent: Thursday, December 12, 2013 4:19 PM
To: 'AdminCc of krbdev.mit.edu Ticket #7802':
Subject: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging

If a user attempts to authenticate with an unknown client or to an unknown
service, the service name is not depicted in the Kerberos logs.

This makes anomaly detection harder to perform as well as impede
diagnostics.

How to reproduce:

1. For AS_REQ, simply use kinit with an unknown client name
(krbtgt/REALM@REALM will not be logged as the service name).

2. For TGS_REQ, simply use kvno to query an unknown service name.

What should have happened:
It should log the attempt for "client for service", not "client for <unknown
server>"

____________________________________________________________________________
__
Richard Basch
VP, Technology - Critical Infrastructure
30 Hudson St. 24th Floor | Jersey City, NJ 07302
Goldman, Sachs & Co
richard.basch@gs.com<mailto:richard.basch@gs.com> | +1 (917) 343-4071

P Save a tree: Please don't print this mail unless necessary.

The Goldman Sachs Group, Inc. All rights reserved.
See http://www.gs.com/disclaimer/global_email for important risk
disclosures, conflicts of interest and other terms and conditions relating
to this e-mail and your reliance on information contained in it. This
message may contain confidential or privileged information. If you are not
the intended recipient, please advise us immediately and delete this
message. See http://www.gs.com/disclaimer/email for further information on
confidentiality and the risks of non-secure electronic communication. If
you cannot access these links, please notify us by reply message and we will
send the contents to you.


_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Date: Mon, 16 Dec 2013 11:39:18 -0500
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging
To: rt-comment@krbdev.mit.edu, "''AdminCc of krbdev.mit.edu Ticket #7802':'"@mta6.srv.hcvlny.cv.net
CC: richard.basch@gs.com, 'Richard Basch' <basch@alum.mit.edu>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 4.8KiB
My patch is also available in github:
https://github.com/rbasch/krb5/commit/675c02025aa24ddc37c646d1501aae28372e8b
7f

I finally identified the cause of the double logging (I feel silly). The
client is first sending the TGS_REQ with referral flag on, then upon
receiving an error sends a second TGS_REQ with the referral flag off. The
server side logging is therefore accurate.


Show quoted text
-----Original Message-----
From: Richard Basch [mailto:basch@alum.mit.edu]
Sent: Monday, December 16, 2013 2:49 AM
To: 'rt-comment@krbdev.mit.edu'; ''AdminCc of krbdev.mit.edu Ticket #7802':'
Cc: 'Richard Basch'; 'richard.basch@gs.com'
Subject: RE: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete
logging

I also noticed one other anomaly... For TGS_REQ server princ lookup
failures, it logs twice...
i.e. two messages stating "Server not found in Kerberos database".

(It only occurs with TGS_REQ, not AS_REQ.)

Aside from the double logging (which is misleading), here is a quick patch
which I think fixes the issue.

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 268d4f4..95c3e23 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -555,6 +555,19 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,
}
limit_string(state->cname);

+ if (!state->request->server) {
+ state->status = "NULL_SERVER";
+ errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+ goto errout;
+ }
+ if ((errcode = krb5_unparse_name(kdc_context,
+ state->request->server,
+ &state->sname))) {
+ state->status = "UNPARSING_SERVER";
+ goto errout;
+ }
+ limit_string(state->sname);
+
/*
* We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
* to the backend to return naming information in lieu
@@ -604,18 +617,6 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,

au_state->stage = SRVC_PRINC;

- if (!state->request->server) {
- state->status = "NULL_SERVER";
- errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
- goto errout;
- }
- if ((errcode = krb5_unparse_name(kdc_context,
- state->request->server,
- &state->sname))) {
- state->status = "UNPARSING_SERVER";
- goto errout;
- }
- limit_string(state->sname);
s_flags = 0;
setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c12de2b..76dca73 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -237,6 +237,7 @@ process_tgs_req(struct server_handle *handle, krb5_data
*pkt

errcode = search_sprinc(kdc_active_realm, request, s_flags, &server,
&status);
+ sprinc = request->server;
if (errcode != 0)
goto cleanup;
sprinc = server->princ;


-----Original Message-----
From: krb5-bugs-bounces@MIT.EDU [mailto:krb5-bugs-bounces@MIT.EDU] On Behalf
Of Richard Basch via RT
Sent: Thursday, December 12, 2013 4:19 PM
To: 'AdminCc of krbdev.mit.edu Ticket #7802':
Subject: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging

If a user attempts to authenticate with an unknown client or to an unknown
service, the service name is not depicted in the Kerberos logs.

This makes anomaly detection harder to perform as well as impede
diagnostics.

How to reproduce:

1. For AS_REQ, simply use kinit with an unknown client name
(krbtgt/REALM@REALM will not be logged as the service name).

2. For TGS_REQ, simply use kvno to query an unknown service name.

What should have happened:
It should log the attempt for "client for service", not "client for <unknown
server>"

____________________________________________________________________________
__
Richard Basch
VP, Technology - Critical Infrastructure
30 Hudson St. 24th Floor | Jersey City, NJ 07302
Goldman, Sachs & Co
richard.basch@gs.com<mailto:richard.basch@gs.com> | +1 (917) 343-4071

P Save a tree: Please don't print this mail unless necessary.

The Goldman Sachs Group, Inc. All rights reserved.
See http://www.gs.com/disclaimer/global_email for important risk
disclosures, conflicts of interest and other terms and conditions relating
to this e-mail and your reliance on information contained in it. This
message may contain confidential or privileged information. If you are not
the intended recipient, please advise us immediately and delete this
message. See http://www.gs.com/disclaimer/email for further information on
confidentiality and the risks of non-secure electronic communication. If
you cannot access these links, please notify us by reply message and we will
send the contents to you.


_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
To: rt@krbdev.MIT.EDU
Subject: Re: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging
From: Tom Yu <tlyu@MIT.EDU>
Date: Tue, 24 Dec 2013 15:00:09 -0500
RT-Send-Cc:
"Richard Basch via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> If a user attempts to authenticate with an unknown client or to an unknown service, the service name is not depicted in the Kerberos logs.
>
> This makes anomaly detection harder to perform as well as impede diagnostics.
>
> How to reproduce:
>
> 1. For AS_REQ, simply use kinit with an unknown client name (krbtgt/REALM@REALM will not be logged as the service name).

Can you clarify whether you see this with both krb5-1.11 and
krb5-1.12? By my reading of the code, your patch to do_as_req.c
undoes the move of a code block that happened between krb5-1.11 and
krb5-1.12.

Show quoted text
> 2. For TGS_REQ, simply use kvno to query an unknown service name.

As I recall from the code in do_tgs_req.c, the behavior for krb5-1.11
and krb5-1.12 for unknown service principal names should be the same,
so the patch probably applies to both.
From: "Basch, Richard" <Richard.Basch@gs.com>
To: "'rt-comment@krbdev.mit.edu'" <rt-comment@krbdev.mit.edu>
Date: Tue, 24 Dec 2013 21:33:52 -0500
Subject: RE: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.2KiB
Ok, I just re-ran the test under 1.11.
For the AS_REQ case, 1.11 doesn't seem to have the issue, but 1.12 does.
For the TGS_REQ case, both 1.11 and 1.12 are affected.

Show quoted text
-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Tuesday, December 24, 2013 3:00 PM
To: Basch, Richard [Tech]
Subject: Re: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging

"Richard Basch via RT" <rt-comment@krbdev.mit.edu> writes:

> If a user attempts to authenticate with an unknown client or to an unknown service, the service name is not depicted in the Kerberos logs.
>
> This makes anomaly detection harder to perform as well as impede diagnostics.
>
> How to reproduce:
>
> 1. For AS_REQ, simply use kinit with an unknown client name (krbtgt/REALM@REALM will not be logged as the service name).

Can you clarify whether you see this with both krb5-1.11 and krb5-1.12? By my reading of the code, your patch to do_as_req.c undoes the move of a code block that happened between krb5-1.11 and krb5-1.12.

> 2. For TGS_REQ, simply use kvno to query an unknown service name.

As I recall from the code in do_tgs_req.c, the behavior for krb5-1.11 and krb5-1.12 for unknown service principal names should be the same, so the patch probably applies to both.
From: tlyu@mit.edu
Subject: git commit

Log service princ in KDC more reliably

Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.

do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.

do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.

[tlyu@mit.edu: commit message; fix TGS to catch more error cases]

https://github.com/krb5/krb5/commit/f37067776f9431879769f3874fdab6120ba3f155
Author: rbasch <probe@tardis.internal.bright-prospects.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: f37067776f9431879769f3874fdab6120ba3f155
Branch: master
src/kdc/do_as_req.c | 25 +++++++++++++------------
src/kdc/do_tgs_req.c | 5 +++++
2 files changed, 18 insertions(+), 12 deletions(-)
Date: Tue, 31 Dec 2013 18:58:09 -0500
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: [krbdev.mit.edu #7802] git commit
To: rt-comment@krbdev.mit.edu, "''AdminCc of krbdev.mit.edu Ticket #7802':'"@mta1.srv.hcvlny.cv.net, tlyu@mit.edu, krbdev@mit.edu
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.8KiB
BTW, I am not sure this part of the patch is correct...

retval = decode_krb5_tgs_req(pkt, &request);
+ /* Save pointer to client-requested service principal, in case of
errors
+ * before a successful call to search_sprinc(). */
+ sprinc = request->server;
if (retval)
return retval;

If decode_krb5_tgs_req fails, I foresee a potential dereference of a null
pointer. You might only want to set sprinc after confirming retval = 0.


Show quoted text
-----Original Message-----
From: krb5-bugs-bounces@MIT.EDU [mailto:krb5-bugs-bounces@MIT.EDU] On Behalf
Of Tom Yu via RT
Sent: Monday, December 30, 2013 8:58 PM
To: 'AdminCc of krbdev.mit.edu Ticket #7802':
Subject: [krbdev.mit.edu #7802] git commit


Log service princ in KDC more reliably

Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.

do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.

do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.

[tlyu@mit.edu: commit message; fix TGS to catch more error cases]

https://github.com/krb5/krb5/commit/f37067776f9431879769f3874fdab6120ba3f155
Author: rbasch <probe@tardis.internal.bright-prospects.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: f37067776f9431879769f3874fdab6120ba3f155
Branch: master
src/kdc/do_as_req.c | 25 +++++++++++++------------
src/kdc/do_tgs_req.c | 5 +++++
2 files changed, 18 insertions(+), 12 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
Date: Tue, 31 Dec 2013 20:22:52 -0500
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: [krbdev.mit.edu #7802] git commit
To: 'Richard Basch' <basch@alum.mit.edu>, rt-comment@krbdev.mit.edu, "''AdminCc of krbdev.mit.edu Ticket #7802':'"@mta1.srv.hcvlny.cv.net, tlyu@mit.edu, krbdev@mit.edu, richard.basch@gs.com
RT-Send-Cc:
Download (untitled) / with headers
text/plain 2.2KiB
Patch is also available via github:
https://github.com/rbasch/krb5/commit/2fe117814d468c6a642f59d8190f64386415b1
c3

Wiki has been updated:
https://github.com/rbasch/krb5/wiki/KDC-log-fix


Show quoted text
-----Original Message-----
From: Richard Basch [mailto:basch@alum.mit.edu]
Sent: Tuesday, December 31, 2013 6:58 PM
To: rt-comment@krbdev.mit.edu; ''AdminCc of krbdev.mit.edu Ticket #7802':';
tlyu@mit.edu; krbdev@mit.edu
Subject: RE: [krbdev.mit.edu #7802] git commit

BTW, I am not sure this part of the patch is correct...

retval = decode_krb5_tgs_req(pkt, &request);
+ /* Save pointer to client-requested service principal, in case of
errors
+ * before a successful call to search_sprinc(). */
+ sprinc = request->server;
if (retval)
return retval;

If decode_krb5_tgs_req fails, I foresee a potential dereference of a null
pointer. You might only want to set sprinc after confirming retval = 0.


-----Original Message-----
From: krb5-bugs-bounces@MIT.EDU [mailto:krb5-bugs-bounces@MIT.EDU] On
Behalf Of Tom Yu via RT
Sent: Monday, December 30, 2013 8:58 PM
To: 'AdminCc of krbdev.mit.edu Ticket #7802':
Subject: [krbdev.mit.edu #7802] git commit


Log service princ in KDC more reliably

Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.

do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.

do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.

[tlyu@mit.edu: commit message; fix TGS to catch more error cases]

https://github.com/krb5/krb5/commit/f37067776f9431879769f3874fdab6120ba3f1
55
Author: rbasch <probe@tardis.internal.bright-prospects.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: f37067776f9431879769f3874fdab6120ba3f155
Branch: master
src/kdc/do_as_req.c | 25 +++++++++++++------------
src/kdc/do_tgs_req.c | 5 +++++
2 files changed, 18 insertions(+), 12 deletions(-)

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
From: tlyu@mit.edu
Subject: git commit

Fix possible null deref in previous

My rework of the do_tgs_req.c patch introduced a null deref if
decode_krb5_tgs_req() failed.

https://github.com/krb5/krb5/commit/30589b2a1636de9f9b68591f0e546cb0fa21989f
Author: Tom Yu <tlyu@mit.edu>
Commit: 30589b2a1636de9f9b68591f0e546cb0fa21989f
Branch: master
src/kdc/do_tgs_req.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Log service princ in KDC more reliably

Under some error conditions, the KDC would log "<unknown server>" for
the service principal because service principal information is not yet
available to the logging functions. Set the appropriate variables
earlier.

do_as_req.c: After unparsing the client, immediately unparse the
server before searching for the client principal in the KDB.

do_tgs_req.c: Save a pointer to the client-requested service
principal, to make sure it gets logged if an error happens before
search_sprinc() successfully completes.

[tlyu@mit.edu: commit message; fix TGS to catch more error cases]

(cherry picked from commit f37067776f9431879769f3874fdab6120ba3f155)

https://github.com/krb5/krb5/commit/2eb5cc575aa08b0b4c233c55cf378a5637717a90
Author: rbasch <probe@tardis.internal.bright-prospects.com>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 2eb5cc575aa08b0b4c233c55cf378a5637717a90
Branch: krb5-1.12
src/kdc/do_as_req.c | 25 +++++++++++++------------
src/kdc/do_tgs_req.c | 5 +++++
2 files changed, 18 insertions(+), 12 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Fix possible null deref in previous

My rework of the do_tgs_req.c patch introduced a null deref if
decode_krb5_tgs_req() failed.

(cherry picked from commit 30589b2a1636de9f9b68591f0e546cb0fa21989f)

https://github.com/krb5/krb5/commit/1122d59f0f6eecee8478c5361269df79574b2dd7
Author: Tom Yu <tlyu@mit.edu>
Commit: 1122d59f0f6eecee8478c5361269df79574b2dd7
Branch: krb5-1.12
src/kdc/do_tgs_req.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)