Skip Menu |
 

Date: Fri, 8 Jan 2016 04:08:47 -0500 (EST)
From: Anders Kaseorg <andersk@mit.edu>
To: krb5-bugs@mit.edu
Subject: ksu broken with 2FA principals again
Download (untitled) / with headers
text/plain 2.2KiB
In krb5 1.13, ksu is unable to authenticate with my
andersk/root@ATHENA.MIT.EDU principal, which is secured with Duo
two-factor authentication:

$ ksu $USER -n andersk/root
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for andersk/root@ATHENA.MIT.EDU: :
ksu: Cannot read password while getting initial credentials
Goodbye

I reported a similar but separate problem with ksu at
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7862; that one was fixed
in krb5-1.13-alpha1~225 and krb5-1.12.2-final~55. This time, it doesn’t
even get as far as prompting for the second challenge.

kinit still works, and ksu with non-2FA principals still works.

Bisection searches on various branches show that this new problem showed
up here:

commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de
Author: Nalin Dahyabhai <nalin@redhat.com>
Date: Tue Sep 16 13:50:05 2014 -0400

Fix ksu crash in cases where it obtains the TGT

In order to allow ksu to use any locally-present service key for
verifying creds, the previous change to ksu switched from using a
retrieved or obtained TGT to fetch creds for the local "host" service,
and then passing those creds to krb5_verify_init_creds(), to passing the
retrieved TGT directly to krb5_verify_init_creds().

It did not take care to retrieve the TGT from the temporary ccache if it
had obtained them, and in those cases it would attempt to verify NULL
creds.

Modify the krb5_get_tkt_via_passwd() function to call
krb5_get_init_creds_password(), to pass back the freshly-obtained creds,
to take a "krb5_get_init_creds_opt" pointer instead of a locally-defined
options structure, and rename it to ksu_get_tgt_via_passwd().

ticket: 8015 (new)
target_version: 1.13
tags: pullup

GOOD krb5-1.14-alpha1~237 (59cbb76 Document KDC TCP listener change)
BAD krb5-1.14-alpha1~236 (5fd5a67 Fix ksu crash in cases where it obtains the TGT)

GOOD krb5-1.13-beta1~9 (8f8cf0e Document KDC TCP listener change)
BAD krb5-1.13-beta1~8 (5ccab82 Fix ksu crash in cases where it obtains the TGT)

Current master (09e8307) and krb5-1.13 (d19f02e) are still broken.
krb5-1.12 (d93407b) is unaffected.

Anders
Thanks for the detailed report. This turns out to be very simple:
krb5_get_init_creds_password() accepts a prompter parameter, while the
deprecated krb5_get_in_tkt_with_password() always uses
krb5_prompter_posix(). The referenced commit passes NULL for the
prompter, so preauth modules can't prompt for additional information.
Passing krb5_prompter_posix makes it work. I will submit a PR.
From: ghudson@mit.edu
Subject: git commit

Make ksu work with prompting clpreauth modules

Commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de switched ksu from
using krb5_get_in_tkt_with_password() to
krb5_get_init_creds_password(), but did not supply a prompter
argument. Pass krb5_prompter_posix so that clpreauth modules can
prompt for additional information during authentication.

https://github.com/krb5/krb5/commit/23a16fb5eac733880e34a770882ed17b93b5d66c
Author: Greg Hudson <ghudson@mit.edu>
Commit: 23a16fb5eac733880e34a770882ed17b93b5d66c
Branch: master
src/clients/ksu/krb_auth_su.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
From: tlyu@mit.edu
Subject: git commit

Make ksu work with prompting clpreauth modules

Commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de switched ksu from
using krb5_get_in_tkt_with_password() to
krb5_get_init_creds_password(), but did not supply a prompter
argument. Pass krb5_prompter_posix so that clpreauth modules can
prompt for additional information during authentication.

(cherry picked from commit 23a16fb5eac733880e34a770882ed17b93b5d66c)

https://github.com/krb5/krb5/commit/fdc03ea1577e071875b436eed0e0bd2a880daf44
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: fdc03ea1577e071875b436eed0e0bd2a880daf44
Branch: krb5-1.14
src/clients/ksu/krb_auth_su.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
Date: Fri, 8 Jan 2016 16:31:00 -0500 (EST)
From: Anders Kaseorg <andersk@mit.edu>
To: Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #8340] ksu broken with 2FA principals again
RT-Send-Cc:
Thanks. Verified fixed on master (23a16fb) and krb5-1.14 (fdc03ea).

Anders
From: tlyu@mit.edu
Subject: git commit

Make ksu work with prompting clpreauth modules

Commit 5fd5a67c5a93514e7d0a64425baa007ad91f57de switched ksu from
using krb5_get_in_tkt_with_password() to
krb5_get_init_creds_password(), but did not supply a prompter
argument. Pass krb5_prompter_posix so that clpreauth modules can
prompt for additional information during authentication.

(cherry picked from commit 23a16fb5eac733880e34a770882ed17b93b5d66c)

https://github.com/krb5/krb5/commit/92ffd801940822c680c4719dc22ca3be29820688
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: 92ffd801940822c680c4719dc22ca3be29820688
Branch: krb5-1.13
src/clients/ksu/krb_auth_su.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
Date: Fri, 8 Jan 2016 17:23:26 -0500 (EST)
From: Anders Kaseorg <andersk@mit.edu>
To: Greg Hudson via RT <rt-comment@krbdev.mit.edu>
Subject: Re: [krbdev.mit.edu #8340] ksu broken with 2FA principals again
RT-Send-Cc:
Also verified fixed on krb5-1.13 (92ffd80).

Anders