Skip Menu |
 

Date: Tue, 13 May 2014 19:30:24 -0400
From: Richard Basch <basch@alum.mit.edu>
Subject: krb5-1.12 logging incomplete (PROCESS_TGS - Ticket expired)
To: krb5-bugs@mit.edu
CC: "'Richard Basch'" <basch@alum.mit.edu>

When a TGT has expired but is presented to the KDC, the KDC will log <unknown client> for server_principal@REALM, Ticket expired.

Though patches have already been adopted to correct the service principal logging (which was faulty in 1.11 & 1.12), the client principal is not properly decoded/displayed, especially in the “expired ticket” case. This can make diagnostics a little more challenging in some cases.

 

I don’t have a quick fix yet.

 

To reproduce:

-          Get a TGT

-          Let it expire and then wait until after the “grace time”

-          Attempt to get a service ticket (using TGS_REQ). I use “kvno” on a Linux 5 system which is compiled against the 1.6 libraries (1.12 client library detects the ticket is already expired without ever sending the request to the KDC).

 

 


No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4577 / Virus Database: 3931/7469 - Release Date: 05/10/14

From: Tom Yu <tlyu@MIT.EDU>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete (PROCESS_TGS - Ticket expired)
Date: Wed, 14 May 2014 15:21:21 -0400
RT-Send-Cc:
"Richard Basch via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> When a TGT has expired but is presented to the KDC, the KDC will log
> <unknown client> for server_principal@REALM, Ticket expired.
>
> Though patches have already been adopted to correct the service principal
> logging (which was faulty in 1.11 & 1.12), the client principal is not
> properly decoded/displayed, especially in the "expired ticket" case. This
> can make diagnostics a little more challenging in some cases.

I agree that omitting the client name from that error can make
diagnostics challenging. I think we've known about this issue for quite
some time, but haven't figured out a good way to fix it yet.

I would not expect fixing this to be easy. As I recall, there would
need to be changes to the error paths in rd_req_decoded_opt() to
preserve some of the decrypted and decoded ticket contents, and we would
consequently have to work harder to correctly manage the associated
memory allocations.
Date: Tue, 03 Jun 2014 18:51:31 -0400
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete (PROCESS_TGS - Ticket expired)
To: rt-comment@krbdev.mit.edu
CC: tlyu@mit.edu, ghudson@mit.edu, 'Richard Basch' <basch@alum.mit.edu>, kayla.c.harrison@gmail.com
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.4KiB
Proposed patch:
https://github.com/rbasch/krb5/commit/fe8223afe3acf8749a1aed62044359bbf5bc6a
75
This is a little cleaner than the one I sent via private email a couple days
ago, though it is functionally equivalent.


Show quoted text
-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Wednesday, May 14, 2014 3:21 PM
To: basch@alum.mit.edu
Subject: Re: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete
(PROCESS_TGS - Ticket expired)

"Richard Basch via RT" <rt-comment@krbdev.mit.edu> writes:

> When a TGT has expired but is presented to the KDC, the KDC will log
> <unknown client> for server_principal@REALM, Ticket expired.
>
> Though patches have already been adopted to correct the service
> principal logging (which was faulty in 1.11 & 1.12), the client
> principal is not properly decoded/displayed, especially in the
> "expired ticket" case. This can make diagnostics a little more challenging
in some cases.

I agree that omitting the client name from that error can make diagnostics
challenging. I think we've known about this issue for quite some time, but
haven't figured out a good way to fix it yet.

I would not expect fixing this to be easy. As I recall, there would need to
be changes to the error paths in rd_req_decoded_opt() to preserve some of
the decrypted and decoded ticket contents, and we would consequently have to
work harder to correctly manage the associated memory allocations.
Date: Tue, 03 Jun 2014 19:19:09 -0400
From: Richard Basch <basch@alum.mit.edu>
Subject: RE: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete (PROCESS_TGS - Ticket expired)
To: rt-comment@krbdev.mit.edu
CC: tlyu@mit.edu, ghudson@mit.edu, kayla.c.harrison@gmail.com, 'Richard Basch' <basch@alum.mit.edu>
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.3KiB
Resending (reformatted to avoid line break in middle of URL).

Proposed fix:

https://github.com/rbasch/krb5/commit/fe8223afe3acf8749a1aed62044359bbf5bc6a
75


Show quoted text
-----Original Message-----
From: Tom Yu via RT [mailto:rt-comment@krbdev.mit.edu]
Sent: Wednesday, May 14, 2014 3:21 PM
To: basch@alum.mit.edu
Subject: Re: [krbdev.mit.edu #7910] krb5-1.12 logging incomplete
(PROCESS_TGS - Ticket expired)

"Richard Basch via RT" <rt-comment@krbdev.mit.edu> writes:

> When a TGT has expired but is presented to the KDC, the KDC will log
> <unknown client> for server_principal@REALM, Ticket expired.
>
> Though patches have already been adopted to correct the service
> principal logging (which was faulty in 1.11 & 1.12), the client
> principal is not properly decoded/displayed, especially in the
> "expired ticket" case. This can make diagnostics a little more
> challenging
in some cases.

I agree that omitting the client name from that error can make diagnostics
challenging. I think we've known about this issue for quite some time, but
haven't figured out a good way to fix it yet.

I would not expect fixing this to be easy. As I recall, there would need to
be changes to the error paths in rd_req_decoded_opt() to preserve some of
the decrypted and decoded ticket contents, and we would consequently have to
work harder to correctly manage the associated memory allocations.
I will adjust this change by paring down the comments and adding a test
case, and submit a pull request. The relatively minor behavior change to
krb5_rd_req_decoded is fine because it hasn't been a public API since
1.2.2. The behavior change isn't visible through krb5_rd_req.

I will also add some notes to http://k5wiki.kerberos.org/wiki/Cleanups on
hygienic changes we might make based on the analysis I did while looking
at this issue.
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.1KiB

In KDC, log client principal in bad header ticket

Fix KDC logging to include client principal in TGS_REQ logging even
during error conditions such as "Ticket expired". As long as the
TGS_REQ can be decrypted and the client principal is available, it
should be included in the log, regardless of other errors which might
be detected.

krb5_rd_req_decoded and krb5_rd_req_decoded_anyflag (not public
interfaces) now leave the decrypted ticket in req->ticket->enc_part2
on success or failure, if the ticket was successfully decrypted. This
does not affect the behavior of krb5_rd_req.

[ghudson@mit.edu: removed extraneous change, added commit message
summary and description of internal API change, fixed possible memory
leak, removed comment and #if 0 code block of purely historical
interest]

https://github.com/krb5/krb5/commit/f07516a9f65207b1fb2f9f07b1ec7d3caa51c6be
Author: rbasch <probe@tardis.internal.bright-prospects.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: f07516a9f65207b1fb2f9f07b1ec7d3caa51c6be
Branch: master
src/kdc/kdc_util.c | 20 ++++++++++++++++++--
src/lib/krb5/krb/rd_req_dec.c | 7 -------
2 files changed, 18 insertions(+), 9 deletions(-)
From: ghudson@mit.edu
Subject: git commit

Add test for KDC client logging

Add a test case which performed a TGS request with an expired ticket
and checks that the client principal is logged.

https://github.com/krb5/krb5/commit/4799121941cfd846f9d3d7a905ac4c84342ff306
Author: Greg Hudson <ghudson@mit.edu>
Commit: 4799121941cfd846f9d3d7a905ac4c84342ff306
Branch: master
src/tests/Makefile.in | 1 +
src/tests/t_kdc_log.py | 23 +++++++++++++++++++++++
2 files changed, 24 insertions(+), 0 deletions(-)