Skip Menu |
 

From: Russ Allbery <eagle@eyrie.org>
To: krb5-bugs@mit.edu
Subject: gss_init_sec_context w/host@<hostname> fails with anonymous tickets
Date: Wed, 23 Dec 2015 15:59:59 -0800
Download (untitled) / with headers
text/plain 2.3KiB
Given a Kerberos KDC configured to issue anonymous service tickets, a
client with an anonymous TGT (obtained with kinit -n) fails in
gss_init_sec_context when trying to authenticate to a host in the default
local realm when gss_import_name is called with "host@<hostname>" as the
name.

If gss_import_name is called with "host/<hostname>" instead, this works
correctly.

KRB5_TRACE says:

[82592] 1450814219.510525: ccselect can't find appropriate cache for server principal host/dfw3b-rm1-1b.sjc.dropbox.com@
[82592] 1450814219.510698: Getting credentials WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@ using ccache FILE:/tmp/krb5cc_1214
[82592] 1450814219.510824: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@ from FILE:/tmp/krb5cc_1214 with result: -1765328243/Matching credential not found
[82592] 1450814219.510914: Retrying WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> host/dfw3b-rm1-1b.sjc.dropbox.com@WELLKNOWN:ANONYMOUS with result: -1765328243/Matching credential not found
[82592] 1450814219.510926: Server has referral realm; starting with host/dfw3b-rm1-1b.sjc.dropbox.com@WELLKNOWN:ANONYMOUS
[82592] 1450814219.511006: Retrieving WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS -> krbtgt/WELLKNOWN:ANONYMOUS@WELLKNOWN:ANONYMOUS from FILE:/tmp/krb5cc_1214 with result: -1765328243/Matching credential not found

so it looks like what's happening is that the service ticket lookup code
is getting very confused by the @WELLKNOWN:ANONYMOUS realm instead of
falling back on using the local realm to get service tickets. I'm not
sure why this suddenly starts working with the host/<hostname> form of
name instead, although my guess is that the local default realm is
automatically appended to that Kerberos principal name and that somehow
unconfuses the service ticket fetch algorithm.

This behavior was seen using remctl 3.10 as the client and server, in case
there are any pecularities of how it calls GSS-API that are relevant.
(Both available from <http://www.eyrie.org/~eagle/software/remctl/>.) The
user-visible error was:

$ kinit -n
$ remctl dfw3b-rm1-1b.sjc.dropbox.com bootstrap help
remctl: GSS-API error initializing context: Unspecified GSS failure. Minor code may provide more information, Matching credential not found

--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
This is a known problem, although I don't seem to have created a ticket
for it. It's a pretty serious impediment to using anonymous tickets,
which is unfortunate. Basically, you can contact a target service if its
realm is known and is the same as the realm where the client got
anonymous tickets; if the service realm is unknown or is a foreign realm,
get_creds tries to start with a TGT for WELLKNOWN:ANONYMOUS and fails.

An outline of the solution is at
http://k5wiki.kerberos.org/wiki/Projects/StartRealmCCconfig, but we
haven't implemented it yet.

A possible workaround for local-realm use is to configure a
[domain_realm] on the client so that it doesn't try to use the referral
realm for host-based service names.
From: Russ Allbery <eagle@eyrie.org>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #8332] gss_init_sec_context w/host@<hostname> fails with anonymous tickets
Date: Wed, 23 Dec 2015 22:21:03 -0800
RT-Send-Cc:
Download (untitled) / with headers
text/plain 1.7KiB
"Greg Hudson via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> This is a known problem, although I don't seem to have created a ticket
> for it. It's a pretty serious impediment to using anonymous tickets,
> which is unfortunate.

For the record, anonymous tickets are pretty awesome, and I'm already
using the new anonymous support in remctl to great effect to solve a
system keytab bootstrapping problem I've been worrying at for years.
Everything seems to work fine as long as one stays within the same realm
and specifies the server to authenticate to using the Kerberos principal
syntax. The limitation isn't too bad for me and is pretty easy to work
around.

Show quoted text
> An outline of the solution is at
> http://k5wiki.kerberos.org/wiki/Projects/StartRealmCCconfig, but we
> haven't implemented it yet.

Ah, yes, now the problem makes lots of sense.

Show quoted text
> A possible workaround for local-realm use is to configure a
> [domain_realm] on the client so that it doesn't try to use the referral
> realm for host-based service names.

Oh, that explains why I didn't encounter this problem in my dev
environment.

Unfortunately, the environment I'm working in has no DNS domain structure
that maps to Kerberos realms, so I literally have separate TXT records for
each of a very large number of machines to map them to the appropriate
realms. [domain_realm] doesn't work very well for that. :/ (I'd love
some way to put wildcard matches into [domain_realm] rather than just
domains; I can potentially fix the domain structure, but that's a rather
invasive change.)

Apparently you need an actual [domain_realm] section; DNS TXT records and
enabling DNS domain-realm lookups isn't sufficient?

--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
It looks like we only use the fallback realm (which would include TXT
records) if we make a query to the client principal realm and get an
error. If we can't even make the query to the client realm, we give up.

We do have a hostrealm pluggable interface starting in 1.12, so in theory
you could write a hostrealm module which supplies the service principal
realm as an authoritative realm, perhaps using wildcard matching.
Deploying such a module to all of the clients may not be attractive,
depending on your environment.
From: Russ Allbery <eagle@eyrie.org>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #8332] gss_init_sec_context w/host@<hostname> fails with anonymous tickets
Date: Thu, 24 Dec 2015 09:24:18 -0800
RT-Send-Cc:
"Greg Hudson via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text
> We do have a hostrealm pluggable interface starting in 1.12, so in
> theory you could write a hostrealm module which supplies the service
> principal realm as an authoritative realm, perhaps using wildcard
> matching. Deploying such a module to all of the clients may not be
> attractive, depending on your environment.

Oh, interesting, thank you. That may very well be an option for us.

--
Russ Allbery (eagle@eyrie.org) <http://www.eyrie.org/~eagle/>
From: ghudson@mit.edu
Subject: git commit
Download (untitled) / with headers
text/plain 1.5KiB

Add support for start_realm cache config

When making TGS requests, if start_realm is set in the cache, use the
named realm to look up the initial TGT for referral or cross-realm
requests. (Also correct a comment in struct _tkt_creds_context: the
ccache field is an owner pointer, not an alias.)

Add an internal API k5_cc_store_primary_cred(), which sets start_realm
if the cred being stored is a TGT for a realm other than the client
realm. Use this API when acquiring initial tickets with a
caller-specified output ccache, when renewing or validating tickets
with kinit, when accepting a delegated credential in a GSS context,
and when storing a single cred with kvno --out-cache.

https://github.com/krb5/krb5/commit/0d56740ab9fcc40dc7f46c6fbebdf8f1214f9d96
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0d56740ab9fcc40dc7f46c6fbebdf8f1214f9d96
Branch: master
doc/formats/ccache_file_format.rst | 6 ++++++
src/clients/kinit/kinit.c | 2 +-
src/clients/kvno/kvno.c | 5 ++++-
src/include/k5-int.h | 4 ++++
src/lib/gssapi/krb5/accept_sec_context.c | 2 +-
src/lib/krb5/ccache/ccfns.c | 20 ++++++++++++++++++++
src/lib/krb5/krb/get_creds.c | 28 +++++++++++++++++++++-------
src/lib/krb5/krb/get_in_tkt.c | 2 +-
src/lib/krb5/libkrb5.exports | 1 +
src/lib/krb5_32.def | 3 +++
src/tests/t_crossrealm.py | 8 ++++++++
src/tests/t_pkinit.py | 3 +++
12 files changed, 73 insertions(+), 11 deletions(-)
Subject: git commit
From: ghudson@mit.edu
Download (untitled) / with headers
text/plain 1.6KiB

Add support for start_realm cache config

When making TGS requests, if start_realm is set in the cache, use the
named realm to look up the initial TGT for referral or cross-realm
requests. (Also correct a comment in struct _tkt_creds_context: the
ccache field is an owner pointer, not an alias.)

Add an internal API k5_cc_store_primary_cred(), which sets start_realm
if the cred being stored is a TGT for a realm other than the client
realm. Use this API when acquiring initial tickets with a
caller-specified output ccache, when renewing or validating tickets
with kinit, when accepting a delegated credential in a GSS context,
and when storing a single cred with kvno --out-cache.

(cherry picked from commit 0d56740ab9fcc40dc7f46c6fbebdf8f1214f9d96)

https://github.com/krb5/krb5/commit/58b4b38e104f0a73b7ac5700c1715a22bbb4604b
Author: Greg Hudson <ghudson@mit.edu>
Commit: 58b4b38e104f0a73b7ac5700c1715a22bbb4604b
Branch: krb5-1.19
doc/formats/ccache_file_format.rst | 6 ++++++
src/clients/kinit/kinit.c | 2 +-
src/clients/kvno/kvno.c | 5 ++++-
src/include/k5-int.h | 4 ++++
src/lib/gssapi/krb5/accept_sec_context.c | 2 +-
src/lib/krb5/ccache/ccfns.c | 20 ++++++++++++++++++++
src/lib/krb5/krb/get_creds.c | 28 +++++++++++++++++++++-------
src/lib/krb5/krb/get_in_tkt.c | 2 +-
src/lib/krb5/libkrb5.exports | 1 +
src/lib/krb5_32.def | 3 +++
src/tests/t_crossrealm.py | 8 ++++++++
src/tests/t_pkinit.py | 3 +++
12 files changed, 73 insertions(+), 11 deletions(-)