Report shadowed error code in decrypt_ticket?

Jan-Marek Glogowski glogow at fbihome.de
Tue Jun 11 11:41:11 EDT 2013 

Hi,

I'm on Debian Wheezy (krb5 = 1.10.1+dfsg-5).

My new service was failing to accept my Kerberos ticket. To simplify my
debugging setup I used the sasl-sample-server, which showed the
following error message was:

> sasl-sample-server: SASL Other: GSSAPI Error: Unspecified GSS
> failure.  Minor code may provide more information (Wrong principal
> in request).

I couldn't come up with a solution using normal "administrative" tools
so as a final solution I used gdb to trace the actual code.

My problem is "hidden" by decrypt_ticket
(src/lib/krb5/krb/rd_req_dec.c), which walks the list of entries in the
keytab until it finds a matching key, which can decrypt the requesting
ticket.
decrypt_ticket already checks for encryption type and the krb5_sname_match.

The following question came to my mind: Can there be multiple keys with
the same encryption type and matching principal in the same keytab?

If not, the first patch could be applied, which would present the
correct error from try_one_entry to the user.

If there might be multiple matches, the alternative second patch would
catch the last error from try_one_entry, which might be more helpful
then the current situation.

Regards,

Jan-Marek

P.S. I had limited the permitted encryptions types in the krb5.conf,
which is returned correctly by try_one_entry as KRB5_NOPERM_ETYPE, which
would have helped a lot.

P.P.S. Both patches are neither compile tested nor tested in use and
were made using the krb5-1.11.3 codebase.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dropped_error_code_v1.diff
Type: text/x-patch
Size: 657 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20130611/ce9c2552/attachment.bin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dropped_error_code_v2.diff
Type: text/x-patch
Size: 1255 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20130611/ce9c2552/attachment-0001.bin

More information about the Kerberos mailing list