question about MIT Kerberos KDC processing PROXY KDC requests

Peter Djalaliev peter.djalaliev at gmail.com
Tue Feb 3 17:32:59 EST 2009 

Hello,

I understand that proxiable/proxy tickets are rarely used and the
corresponding code in the MIT Kerberos implementation is not very well
tested.  However, I found two possibly buggy places in the KDC code,
so I think this is worth asking about.

I used the MIT Kerberos distribution and was able to make proxiable/
proxy tickets work, but had two make two changes in the KDC source
code.  I would like to ask if these are really bugs or not.  We use
the MIT Kerberos 1.6.3 release.  Both suspicious places are in kdc/
kdc_util.c, validate_tgs_request():

1. line 1144:

if (request->kdc_options & NO_TGT_OPTION) {
    if (!krb5_principal_compare(kdc_context, ticket->server,
request_server)) {
        *status = "SERVER DIDN'T MATCH TICKET FOR RENEW/FORWARD/ETC";
        return(KDC_ERR_SERVER_NOMATCH);
    }
}

NOT_TGT_OPTION is defined as:

#define NO_TGT_OPTION (KDC_OPT_FORWARDED | KDC_OPT_PROXY |
KDC_OPT_RENEW | KDC_OPT_VALIDATE)

The KDC returns an error here if the server principal in the ticket
does not match the one in the KDC request.  I can see how this check
is required for the "forwarded", "renew" and "validate" KDC requests.
However, for a proxy ticket request, it seems that:
 - the ticket must be a TGT with ticket->server = krbtgt/R1 at R2, for
some R1 and R2
 - the KDC request must have a server principal request->server = the
target application server's Kerberos principal

Should the #define NO_TGT_OPTION really include KDC_OPT_PROXY?


2. line 1236:

if (isflagset(request->kdc_options, KDC_OPT_PROXY) &&
    (!request->server->data ||
      request->server->data[0].length != KRB5_TGS_NAME_SIZE ||
      memcmp(request->server->data[0].data, KRB5_TGS_NAME,
KRB5_TGS_NAME_SIZE))) {

    *status = "CAN'T PROXY TGT";
    return KDC_ERR_BAD_OPTION;
}

KRB5_TGS_NAME is #define-d as "krbtgt"
KRB5_TGS_NAME_SIZE is #define-d as 6

Isn't the boolean logic inverted here?  We should return an error if
KDC_OPT_PROXY is set and request->server->data[0] is "krbtgt", which
would indicate a request for a TGT.  Is that correct?

Best Regards,
Peter Djalaliev

More information about the Kerberos mailing list