issue with preauth processing

Will Fiveash William.Fiveash at sun.com
Mon Oct 26 15:54:28 EDT 2009 

On Mon, Oct 26, 2009 at 02:38:06PM -0400, Sam Hartman wrote:
> >>>>> "Will" == Will Fiveash <William.Fiveash at sun.com> writes:
> 
>     Will> On Fri, Oct 23, 2009 at 04:50:35PM -0500, Will Fiveash wrote:
>     >> On Fri, Oct 23, 2009 at 04:48:58PM -0400, Sam Hartman wrote:
> > > The preauth framework strongly encourages implementations to take
>     >> > optimistic pre-auth as a hint.  If you try some pre-auth and
>     >> get a > PREAUTH_REQUIRED or PREAUTH_FAILED error, then you
>     >> should take that as > the KDC requesting you start over.  Now,
>     >> if that second round fails, > you should probably give up.
>     >> 
>     >> But consider pam_krb5 and prompting.  There may be situations
>     >> where pam_krb5 wants to restrict libkrb and it's preauth
>     >> plugins to only PKINIT and it's associated prompts.  How can
>     >> that be done?
> 
>     Will> In addition I notice that kpasswd is prompting for a PIN if
>     Will> the system is configured to do PKINIT.  I notice in the
>     Will> source for kpasswd there is a call to:
> 
>     Will> static void get_init_creds_opt_init( krb5_get_init_creds_opt
>     Will> *outOptions ) { krb5_preauthtype preauth[] = {
>     Will> KRB5_PADATA_ENC_TIMESTAMP }; krb5_enctype etypes[] =
>     Will> {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC};
>     Will> krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
>     Will> krb5_get_init_creds_opt_set_etype_list( outOptions, etypes,
>     Will> sizeof(etypes)/sizeof(krb5_enctype) );
>     Will> krb5_get_init_creds_opt_set_preauth_list(outOptions,
>     Will> preauth, sizeof(preauth)/sizeof(krb5_preauthtype) );
>     Will> }
> 
> Will> Seems to me that the intention is to restrict the preauth to only
>     Will> KRB5_PADATA_ENC_TIMESTAMP.
> 
> No, that sounds like optimistic pre-auth not a restriction.
> Our kpasswd doesn't seem to have those calls.

I'm looking at src/clients/kpasswd/ksetpwd.c in the krb5/trunk and I
see:

static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions )
{
    krb5_preauthtype    preauth[] = { KRB5_PADATA_ENC_TIMESTAMP };
    krb5_enctype        etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC};
    krb5_get_init_creds_opt_set_address_list(outOptions, NULL);
    krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) );
    krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) );
}

and in userinitcontext():

        if( kres != 0 || have_credentials == 0 )
        {
            krb5_get_init_creds_opt *options = NULL;
            kres = krb5_get_init_creds_opt_alloc(kcontext, &options);
            if ( kres == 0 )
            {
                get_init_creds_opt_init(options);
/*
** no valid credentials - get new ones
*/
                kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass,
                        NULL /*prompter*/, 
                        NULL /*data*/,
                        0 /*starttime*/,
                        0 /*in_tkt_service*/,
                        options /*options*/ );
            }


> The call to set the list of enctypes seems particularly unfortunate.

Yep.

-- 
Will Fiveash
Sun Microsystems Inc.
http://opensolaris.org/os/project/kerberos/
Sent from mutt, a sweet ASCII MUA

More information about the krbdev mailing list