Ticket History #7862: ksu broken with 2FA principals

# Tue Feb 11 12:37:00 2014 Anders Kaseorg <andersk@MIT.EDU> - Ticket created

Date:	Tue, 11 Feb 2014 04:00:41 -0500 (EST)
From:	Anders Kaseorg <andersk@MIT.EDU>
To:	krb5-bugs@MIT.EDU
Subject:	ksu broken with 2FA principals

Download (untitled) / with headers
text/plain 1KiB

In krb5 1.12, ksu can no longer authenticate with my
andersk/root@ATHENA.MIT.EDU principal, which is secured with Duo
two-factor authentication:

$ ksu $USER -n andersk/root
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for andersk/root@ATHENA.MIT.EDU: : [redacted]
SAM Authentication
Challenge from authentication server
Duo login: Passcode/option or press return for options: 1
ksu: Password incorrect
Goodbye

The same thing happens if I just press Enter or type anything else instead
of 1.

kinit still works, and ksu with non-2FA principals still works. ksu
worked correctly with 2FA in 1.11.3. A git bisect implicates this commit:

https://github.com/krb5/krb5/commit/f3458ed803ae97b6c6c7c63baeb82b26c4943d4c
Make empty passwords work via init_creds APIs

I’ve checked that it’s still broken in krb5-1.12.1-final and current
master (1e4bdcfe).

I’m running Ubuntu trusty amd64 (which just received 1.12 as an update two
days ago).

Anders

# Tue Feb 11 22:55:58 2014 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Tue Feb 11 22:55:59 2014 ghudson@mit.edu (Greg Hudson) - Target_Version 1.12.2 added

# Tue Feb 11 22:55:59 2014 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Tue Feb 11 22:55:59 2014 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Tue Feb 11 22:55:59 2014 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 891B

Fix SAM-2 preauth when password argument is used

sam2_process accesses gak_data to get the password, so that it can do
string-to-key with the etype in the SAM-2 challenge. When #7642
changed gic_pwd.c to use struct gak_password instead of krb5_data,
sam2_process wasn't altered to match. We don't see a problem when the
password is read through the prompter (as with kinit), because the
password winds up in the storage field at the beginning of the
gak_password structure. But when a password is supplied as a
parameter (as with ksu), the storage field is empty and we get the
wrong answer from sam2_process.

https://github.com/krb5/krb5/commit/3bedfe7c3724b0d22c72d1684f1cf76cfb600fdd
Author: Greg Hudson <ghudson@mit.edu>
Commit: 3bedfe7c3724b0d22c72d1684f1cf76cfb600fdd
Branch: master
src/lib/krb5/krb/preauth_sam2.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)

# Wed Feb 12 01:05:19 2014 Anders Kaseorg <andersk@MIT.EDU> - Comments added

Date:	Wed, 12 Feb 2014 01:05:17 -0500 (EST)
From:	Anders Kaseorg <andersk@MIT.EDU>
To:	Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject:	Re: [krbdev.mit.edu #7862] git commit
RT-Send-Cc:

Download (untitled) / with headers
text/plain 222B

On Tue, 11 Feb 2014, Greg Hudson via RT wrote:

Show quoted text

> Fix SAM-2 preauth when password argument is used
> https://github.com/krb5/krb5/commit/3bedfe7c3724b0d22c72d1684f1cf76cfb600fdd

Thanks, works for me on master now.

Anders

# Thu Jun 26 16:36:10 2014 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Thu Jun 26 16:36:10 2014 tlyu (Taylor Yu) - Version_Fixed 1.12.2 added

# Thu Jun 26 16:36:10 2014 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 997B

Fix SAM-2 preauth when password argument is used

sam2_process accesses gak_data to get the password, so that it can do
string-to-key with the etype in the SAM-2 challenge. When #7642
changed gic_pwd.c to use struct gak_password instead of krb5_data,
sam2_process wasn't altered to match. We don't see a problem when the
password is read through the prompter (as with kinit), because the
password winds up in the storage field at the beginning of the
gak_password structure. But when a password is supplied as a
parameter (as with ksu), the storage field is empty and we get the
wrong answer from sam2_process.

(cherry picked from commit 3bedfe7c3724b0d22c72d1684f1cf76cfb600fdd)

https://github.com/krb5/krb5/commit/249562f0371207de31f48beb6cf7431dccd6f420
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 249562f0371207de31f48beb6cf7431dccd6f420
Branch: krb5-1.12
src/lib/krb5/krb/preauth_sam2.c | 5 +++--
1 files changed, 3 insertions(+), 2 deletions(-)

# Wed Dec 16 18:03:01 2015 tlyu (Taylor Yu) - CustomField pullup deleted