[krbdev.mit.edu #2110] MIT KDC fails to handle unknown padata

DEEngert@anl.gov via RT rt-comment at krbdev.mit.edu
Wed Feb 11 20:30:00 EST 2004




Tom Yu via RT wrote:
> 
> >>>>> "DEEngert" == DEEngert at anl gov via RT <rt-comment at krbdev.mit.edu> writes:
> 
> DEEngert> Tom Yu via RT wrote:
> 
> >> I think the code is functioning as I expect it to, in this case.
> 
> DEEngert> No.
> 
> Let me rephrase: I think the code is functioning the way it was
> intended to function when it was written.  Whether that behavior is
> correct in this case is debatable.

OK, I agree with that. 

> 
> >> After all, you require preauth, and you didn't provide any preauth
> >> that it understood.  Or are you saying that it should ask for
> >> additional preauth rather than returning "preauth failed"?
> 
> DEEngert> Yes, on the first AS-REQ the client does not know what
> DEEngert> preauth if any is required. So it justs sends the
> DEEngert> PA-PAC-REQUEST. It has to do this on the first request, as
> DEEngert> preauth may not be needed.
> 
> DEEngert> If preauth is not required the KDC ignores the
> DEEngert> PA-PAC-REQUEST and it works.
> 
> DEEngert> If preauth is required, a krb-error SHOULD be sent saying
> DEEngert> which preauths can be used.
> 
> DEEngert> I thing the KDC code sees some preauth data,
> DEEngert> (PA-PAC-REQEUST) but not any it can use, and assumes that
> DEEngert> this must be a second AS-REQ request and it assumes it has
> DEEngert> already sent the client a krb-error with the list of
> DEEngert> preauths.
> 
> This would appear to be the intent.  The problem is, if the KDC sees
> any AS-REQ containing padata, the most safe assumption to make is that
> it is a "second" AS-REQ, i.e., one replying to a KRB-ERROR asking for
> additional preauth.
> 
> Consider what happens when a client sends an AS-REQ containing padata
> that the KDC do not understand.  KDC sends KRB-ERROR with list of
> supported padata.  Client is broken in a way that causes it to send
> a mostly identical AS-REQ, lacking the padata that the KDC require.
> KDC again sends KRB-ERROR with list of supported padata.  Looping
> ensues.  The main problem being that KRB-ERROR requesting additional
> preauth isn't a hard failure, and the other errors are.
> 
> I'm not sure of the best way to get around this problem, without
> somehow requiring the KDC to keep some state which it currently does
> not.

The difference is that the PA-PAC-REQUEST is really a flag, not a preauth.

So maybe the KDC needs to recognize flag type entries (there may be others)
and not make the assumption that this is a second AS-REQ. But this requires
knowledge of all the possible pa-data types or at least the flag types. 

Is this an issue for Sam's draft-ietf-krb-wg-preauth-framework-00.txt?

  
> 
> ---Tom

-- 

 Douglas E. Engert  <DEEngert at anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444


More information about the krb5-bugs mailing list