bad counting of failed preauths

MARTAK,PAVEL (HP-Czechia,ex1) pavel_martak at hp.com
Wed Jul 3 10:37:36 EDT 2002


It seems that in realm without slave KDC's, with preauth and KDC_KDB_UPDATE
on, is
not going setting/countig/checking of number of failed preauth's. This lead
to user locking
after 1/2 of MAXIMUM_FAILED_COUNTS. 

In gic_pwd.c there is code:
--------------------------------------------------------------
   /* first try: get the requested tkt from any kdc */
   ret = krb5_get_init_creds(context, creds, client, prompter, data,
                             start_time, in_tkt_service, options,
                             krb5_get_as_key_password, (void *) &pw0,
                             use_master, &as_reply);
   /* check for success */
   if (ret == 0)
      goto cleanup;
   /* If all the kdc's are unavailable, or if the error was due to a
      user interrupt, fail */
   if ((ret == KRB5_KDC_UNREACH) ||
       (ret == KRB5_LIBOS_PWDINTR) ||
           (ret == KRB5_REALM_CANT_RESOLVE))
      goto cleanup;
   /* if the reply did not come from the master kdc, try again with
      the master kdc */
   if (!use_master) {
      use_master = 1;
      ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
                                 start_time, in_tkt_service, options,
                                 krb5_get_as_key_password, (void *) &pw0,
                                 use_master, &as_reply);
      if (ret2 == 0) {
         ret = 0;
         goto cleanup;
      }
      /* if the master is unreachable, return the error from the
         slave we were able to contact */
      if ((ret2 == KRB5_KDC_UNREACH) ||
                  (ret2 == KRB5_REALM_CANT_RESOLVE))
         goto cleanup;
      ret = ret2;
   }
----------------------------------------------------------------------------
--
where setup logic of use_master flag maybe is not good.
 When the first request was against master KDC (if there is no slave), 
it tries the new one against master again. 
=>
KADMIN
---------------------
kadmin:  getprinc pavel
Principal: pavel at CZECH.HP.COM
Expiration date: [never]
Last password change: Wed Jul 03 10:56:02 CEST 2002
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Jul 03 10:56:02 CEST 2002 (admin/admin at CZECH.HP.COM)
Last successful authentication: Wed Jul 03 10:56:21 CEST 2002
Last failed authentication: Wed Jul 03 10:55:37 CEST 2002
Failed password attempts: 0
Number of keys: 2
Key: vno 6, DES cbc mode with CRC-32, no salt
Key: vno 6, Triple DES cbc mode with HMAC/sha1, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

KINIT
-----------------------
[root at pra7162 krb]# /opt/krb5/bin/kinit pavel
Password for pavel at CZECH.HP.COM:
kinit(v5): Preauthentication failed while getting initial credentials

KDCLOG
--------------------------
Jul 03 16:28:36 pra7162 krb5kdc[25339](info): AS_REQ (2 etypes {16 1})
15.188.27.162(88): NEEDED_PREAUTH: pavel at CZECH.HP.COM for
krbtgt/CZECH.HP.COM at CZECH.HP.COM, Additional pre-authentication required
Jul 03 16:28:39 pra7162 krb5kdc[25339](info): preauth (timestamp) verify
failure: Unknown code PAFc 96
Jul 03 16:28:39 pra7162 krb5kdc[25339](info): AS_REQ (2 etypes {16 1})
15.188.27.162(88): PREAUTH_FAILED: pavel at CZECH.HP.COM for
krbtgt/CZECH.HP.COM at CZECH.HP.COM, Preauthentication failed
Jul 03 16:28:39 pra7162 krb5kdc[25339](info): AS_REQ (2 etypes {16 1})
15.188.27.162(88): NEEDED_PREAUTH: pavel at CZECH.HP.COM for
krbtgt/CZECH.HP.COM at CZECH.HP.COM, Additional pre-authentication required
Jul 03 16:28:39 pra7162 krb5kdc[25339](info): preauth (timestamp) verify
failure: Unknown code PAFc 96
Jul 03 16:28:39 pra7162 krb5kdc[25339](info): AS_REQ (2 etypes {16 1})
15.188.27.162(88): PREAUTH_FAILED: pavel at CZECH.HP.COM for
krbtgt/CZECH.HP.COM at CZECH.HP.COM, Preauthentication failed

KADMIN
---------------------------
kadmin:   getprinc pavel
Principal: pavel at CZECH.HP.COM
Expiration date: [never]
Last password change: Wed Jul 03 10:56:02 CEST 2002
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Jul 03 10:56:02 CEST 2002 (admin/admin at CZECH.HP.COM)
Last successful authentication: Wed Jul 03 10:56:21 CEST 2002
Last failed authentication: Wed Jul 03 16:28:39 CEST 2002
Failed password attempts: 2
Number of keys: 2
Key: vno 6, DES cbc mode with CRC-32, no salt
Key: vno 6, Triple DES cbc mode with HMAC/sha1, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]

Any ideas ?

Thanks

Pavel M



More information about the Kerberos mailing list