[krbdev.mit.edu #3456] 1.4.3 kdc fails with 1.2.8 client and des-cbc-crc:afs3 key
The RT System itself via RT
rt-comment at krbdev.mit.edu
Wed Feb 15 20:04:40 EST 2006
>From krb5-bugs-incoming-bounces at PCH.mit.edu Wed Feb 15 20:04:36 2006
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
id UAA22000; Wed, 15 Feb 2006 20:04:36 -0500 (EST)
Received: from pch.mit.edu (pch.mit.edu [127.0.0.1])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id k1G145ei015563
for <krb5-send-pr at krbdev.mit.edu>; Wed, 15 Feb 2006 20:04:05 -0500
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
[18.7.7.76])
by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id k1FMoaei028490
for <krb5-bugs-incoming at PCH.mit.edu>; Wed, 15 Feb 2006 17:50:36 -0500
Received: from quince.ifs.umich.edu (quince.ifs.umich.edu [141.213.229.138])
by fort-point-station.mit.edu (8.12.4/8.9.2) with SMTP id
k1FMoZG0015961
for <krb5-bugs at mit.edu>; Wed, 15 Feb 2006 17:50:35 -0500 (EST)
Received: from sisyphus.ifs.umich.edu (sisyphus.ifs.umich.edu
[141.211.14.215]) by quince.ifs.umich.edu (8.6.13/8.6.12) with
ESMTP id RAA14779; Wed, 15 Feb 2006 17:50:34 -0500
Message-Id: <200602152250.RAA14779 at quince.ifs.umich.edu>
To: krb5-bugs at mit.edu
X-send-pr-version: 3.99
Date: Wed, 15 Feb 2006 17:50:33 -0500
From: Marcus Watts <mdw at umich.edu>
X-Spam-Score: -0.783
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 15 Feb 2006 20:02:07 -0500
Cc: mdw at umich.edu
X-BeenThere: krb5-bugs-incoming at mailman.mit.edu
X-Mailman-Version: 2.1.6
Precedence: list
Reply-To: mdw at umich.edu
Sender: krb5-bugs-incoming-bounces at PCH.mit.edu
Errors-To: krb5-bugs-incoming-bounces at PCH.mit.edu
>Submitter-Id: net
>Originator: Marcus Watts
>Organization:
University of Michigan
>Confidential: no
>Synopsis: 1.4.3 kdc fails with 1.2.8 client and des-cbc-crc:afs3 key
>Severity: serious
>Priority: high
>Category: krb5-kdc
>Class: sw-bug
>Release: 1.4.3
>Environment:
i686-pc-linux-gnu, linux 2.4.26, i686-pc-linux-gnu
System: Linux fear.ifs.umich.edu 2.4.26 #1 SMP Fri May 7 03:55:08 EDT 2004 i686 unknown unknown GNU/Linux
Architecture: i686
>Description:
The problem seems to be that 1.4.3 returns ETYPE_INFO and ETYPE_INFO2
PADATA in an AS-RESP. The old version only returns ETYPE_INFO for a
"preauth needed" error. 1.2.8 clients believe that ETYPE_INFO PADATA
supersedes AFS3_SALT PADATA, so when they see this in an AS-REQ, they
use the wrong string to key function and fail. Later clients see the
ETYPE_INFO2 data, and behave properly. The MIT 1.4.3 readme notes
the change, but fails to identify what it will break.
As-shipped MacOS 10.2.8 has similar behavior to 1.2.8 clients.
>How-To-Repeat:
on kdc running 1.4.3:
/usr/krb5/sbin/kadmin.local
cpw -e des-cbc-crc:afs3 SOME-PRINCIPAL
modprinc -requires_preauth SOME-PRINCIPAL
quit
on krb5 1.2.8 client:
kinit SOME-PRINCIPAl
observe output like this:
aardvark$ ./kinit testviii at DOGS.UMICH.EDU
Password for testviii at DOGS.UMICH.EDU:
kinit(v5): Password incorrect while getting initial credentials
aardvark$
with a 1.4.2 kdc, the client works fine.
>Fix:
Apply this patch to kdc/kdc_preauth.c
http://www.umich.edu/~mdw/krb5143-kdcetype.diff
This modifies etype_info handling to not return etype_info
in cases where the information would be just plain wrong
and confuses older clients (where s2k params would be returned).
More information about the krb5-bugs
mailing list