[krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging

Mon Dec 16 11:39:21 EST 2013

My patch is also available in github:
https://github.com/rbasch/krb5/commit/675c02025aa24ddc37c646d1501aae28372e8b
7f

I finally identified the cause of the double logging (I feel silly). The
client is first sending the TGS_REQ with referral flag on, then upon
receiving an error sends a second TGS_REQ with the referral flag off. The
server side logging is therefore accurate.


-----Original Message-----
From: Richard Basch [mailto:basch at alum.mit.edu] 
Sent: Monday, December 16, 2013 2:49 AM
To: 'rt-comment at krbdev.mit.edu'; ''AdminCc of krbdev.mit.edu Ticket #7802':'
Cc: 'Richard Basch'; 'richard.basch at gs.com'
Subject: RE: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete
logging 

I also noticed one other anomaly... For TGS_REQ server princ lookup
failures, it logs twice...
i.e. two messages stating "Server not found in Kerberos database".

(It only occurs with TGS_REQ, not AS_REQ.)

Aside from the double logging (which is misleading), here is a quick patch
which I think fixes the issue.

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 268d4f4..95c3e23 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -555,6 +555,19 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,
     }
     limit_string(state->cname);

+    if (!state->request->server) {
+        state->status = "NULL_SERVER";
+        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+        goto errout;
+    }
+    if ((errcode = krb5_unparse_name(kdc_context,
+                                     state->request->server,
+                                     &state->sname))) {
+        state->status = "UNPARSING_SERVER";
+        goto errout;
+    }
+    limit_string(state->sname);
+
     /*
      * We set KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY as a hint
      * to the backend to return naming information in lieu
@@ -604,18 +617,6 @@ process_as_req(krb5_kdc_req *request, krb5_data
*req_pkt,

     au_state->stage = SRVC_PRINC;

-    if (!state->request->server) {
-        state->status = "NULL_SERVER";
-        errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
-        goto errout;
-    }
-    if ((errcode = krb5_unparse_name(kdc_context,
-                                     state->request->server,
-                                     &state->sname))) {
-        state->status = "UNPARSING_SERVER";
-        goto errout;
-    }
-    limit_string(state->sname);
     s_flags = 0;
     setflag(s_flags, KRB5_KDB_FLAG_ALIAS_OK);
     if (isflagset(state->request->kdc_options, KDC_OPT_CANONICALIZE)) {
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c12de2b..76dca73 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -237,6 +237,7 @@ process_tgs_req(struct server_handle *handle, krb5_data
*pkt

     errcode = search_sprinc(kdc_active_realm, request, s_flags, &server,
                             &status);
+    sprinc = request->server;
     if (errcode != 0)
         goto cleanup;
     sprinc = server->princ;


-----Original Message-----
From: krb5-bugs-bounces at MIT.EDU [mailto:krb5-bugs-bounces at MIT.EDU] On Behalf
Of Richard Basch via RT
Sent: Thursday, December 12, 2013 4:19 PM
To: 'AdminCc of krbdev.mit.edu Ticket #7802':
Subject: [krbdev.mit.edu #7802] krb5-1.11 & krb5-1.12: incomplete logging 

If a user attempts to authenticate with an unknown client or to an unknown
service, the service name is not depicted in the Kerberos logs.

This makes anomaly detection harder to perform as well as impede
diagnostics.

How to reproduce:

1.       For AS_REQ, simply use kinit with an unknown client name
(krbtgt/REALM at REALM will not be logged as the service name).

2.       For TGS_REQ, simply use kvno to query an unknown service name.

What should have happened:
It should log the attempt for "client for service", not "client for <unknown
server>"

____________________________________________________________________________
__
Richard Basch
VP, Technology - Critical Infrastructure
30 Hudson St.  24th Floor | Jersey City, NJ 07302
Goldman, Sachs & Co
richard.basch at gs.com<mailto:richard.basch at gs.com>  | +1 (917) 343-4071

P Save a tree: Please don't print this mail unless necessary.

The Goldman Sachs Group, Inc. All rights reserved.
See http://www.gs.com/disclaimer/global_email for important risk
disclosures, conflicts of interest and other terms and conditions relating
to this e-mail and your reliance on information contained in it.  This
message may contain confidential or privileged information.  If you are not
the intended recipient, please advise us immediately and delete this
message.  See http://www.gs.com/disclaimer/email for further information on
confidentiality and the risks of non-secure electronic communication.  If
you cannot access these links, please notify us by reply message and we will
send the contents to you.


_______________________________________________
krb5-bugs mailing list
krb5-bugs at mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs


