[krbdev.mit.edu #8787] Bug in leash_kinit (problem with password's size)

Joshua Acosta via RT rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Feb 26 11:01:23 EST 2019 

Hi,

We are programming an authentification solution bettween ZOS IBM an
Windows.
The project is go very well and we can now validate our users using trusted
rule's between Active Directory and RACF, but, in some situations, we need
to validate directly to RACF and we found a problem when need to change a
user's password (if it are expired) in the leash_kinit process if the
password size is minor than the maximum expected in RACF, in our case, 6
characters and maximun are 8.

We can say this because we found a diferent behavior if we do that with
line comands or via code (programming). Now, we are doing a walkarround
modifyng the passwords size, but we need to explain this problem to you.

We have been retrieving the most cleary information that we can offer:
Let's go.

1 The environment
  =============
  PC with Kerberos for Windows 4.1 & IBM Host ZOs
  Account in IBM Host with password expiration


2 First test
  =======
  kinit with comand, (result OK)

The commands are:
c:\program files\mit\kerberos\bin\kinit it00046 at PGME.DESE
Password for it00046 at PGME.DESE:
Password expired. You must change it now.
Enter new password:

The behaviour is OK.

The info that offers WireShark is:

1 Computer -> Host: AS-REQ
2 Host -> Computer: KRB Error: KRB5KDC_ERR_KEY_EXP
3 Computer -> Host: AS-REQ
4 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
5 Computer -> Host: AS-REQ
6 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
7 Computer -> Host: AS-REQ
8 Host -> Computer: AS-REP

The steps 1-6 ocurrs when we do "kinit it00046 at PGME.DESE".
Steps 7-8 at "Password for ...".


The ZOs debug's info at point 7/8 (AS-REQ/AS-REP) is:

 180711 13:51:07 (00000001) DBG8 KRB/KRB_CRYPTO k5_aes_decrypt(): Software
AES256 decryption performed for 44 bytes
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_decrypt_int(): <--
krb5_c_decrypt_int(1): Status 0x0
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_make_random_key():
--> krb5_c_make_random_key(): Enctype 18
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL
crypto_generate_random_bytes(): --> crypto_generate_random_bytes(): Length
32
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL
crypto_generate_random_bytes(): <-- crypto_generate_random_bytes(1): Status
0x0
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_make_random_key():
<-- krb5_c_make_random_key(1): Status 0x0
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_encrypt_length():
--> krb5_c_encrypt_length(): Enctype 18, Length 166
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_encrypt_length():
<-- krb5_c_encrypt_length(1): Status 0x0, Encrypted length
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_encrypt_int(): -->
krb5_c_encrypt_int(): Enctype 18, Usage 2, Length 166
... <very more lines but all ok>


3 Second test
  =========
  kinit with leash_kinit, result KO

Code program:

result = Leash_kinit((char *)User.c_str(), (char *)Password.c_str(),
(int)P_LifeTime);    (remeber, the password has 6 characters)

WireShark info's:

1 Computer -> Host: AS-REQ
2 Host -> Computer: KRB Error: KRB5KDC_ERR_KEY_EXP
3 Computer -> Host: AS-REQ
4 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
5 Computer -> Host: AS-REQ
6 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
7 Computer -> Host: AS-REQ
8 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_FAILED (!)


The ZOs debug's info at point 7/8 (AS-REQ with preauth fail) is:

180711 13:51:56 (00000001) DBG8 KRB/KRB_CRYPTO k5_aes_decrypt(): Software
AES256 decryption performed for 44 bytes
180711 13:51:56 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_decrypt_int(): <--
krb5_c_decrypt_int(1): Status 0x96c73a1f (!)
 180711 13:51:56 (00000001) DBG6 KDC/KRB_KDC kdc_preauth_timestamp():
PREAUTH: krb5_c_decrypt_int() failed: Status 0x96c73a1f
 180711 13:51:56 (00000001) DBG6 KDC/KRB_KDC kdc_as_process_request():
AS_REQ: kdc_preauth_process_padata() failed: Status 0x18
 180711 13:51:56 (00000001) DBG8 KDC/KRB_KDC kdc_audit_login(): RACF: Audit
AS_REQ for pg807002: Function 2
 EUVF04039W Kerberos login failed for pg807002 at PGME.DESE at
X <http://10.120.232.18:63980/>X:XXX:XXX:XXX:XXXX: KDC status 0x96c73a18 -
Preauthentication failed.
 180711 13:51:56 (00000001) DBG1 KDC/KRB_KDC kdc_as_process_request():
AS_REQ: KDC error 24 processing request from pg807002 at PGME.DES

It fails.We supose that the problem is that "diference" caused problems
with dummy chars

Thanks in advance.

Josep Maria.

More information about the krb5-bugs mailing list