[krbdev.mit.edu #8681] [krb5 1.15] CLIENT PRINCIPALS ARE NOT UNIQUE WHEN ON THE SAME IP ADDRESS / HOST

[Tiffany Tang via RT]

Important Note: This only occurs when "forwardable=true" is specified.

In this testcase, ten unique client principals on the same host 
(CLIENT0 at MIT.EDU, CLIENT1 at MIT.EDU, CLIENT3 at MIT.EDU, CLIENT4 at MIT.EDU, 
etc) want to authenticate to the same service. This is a concurrency 
test. There are ten threads, all clients attempt to connect 
simultaneously. However, the majority of them fail to authenticate 
because their request is erroneously detected as a replay attack in 
krb5_rd_cred().

There are two problems that cause this bug to arise. (1) When building 
the krb5_donotreplay replay struct in krb5_rd_cred, the client name is 
constructed from the unique string "_forw" and the IP address. 
Unfortunately, since the clients are all on the same host, the client 
name will be the same for all ten clients, even if the principal names 
are all unique. (2) Since all ten clients attempt to connect 
simultaneously, the timestamp will be relatively similar. When I 
debugged into krb5_rd_cred, replay.ctime was the same for all ten 
clients. replay.cusec = 0 for all ten clients as well, which effectively 
says all ten clients connected at the same time.

With these two reasons combined, all ten clients would be seen as the 
same client and the replay cache would detect subsequent requests as a 
replay attack.

Therefore, I propose to change how the client name is constructed. 
Rather than just "forw_" and the IP address, make it so the client name 
is a combination of the unique string, ip address, and the port number. 
The port number would be unique between different clients on the same host.