[36378] in Kerberos
Re: kadmin crash with PKCS11
daemon@ATHENA.MIT.EDU (Nalin Dahyabhai)
Thu Aug 14 11:47:18 2014
Date: Thu, 14 Aug 2014 11:46:56 -0400
From: Nalin Dahyabhai <nalin@redhat.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20140814154656.GA32695@redhat.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <53ECCDC0.7060206@mit.edu>
Cc: jarek <jarek@poczta.srv.pl>, kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Aug 14, 2014 at 10:54:56AM -0400, Greg Hudson wrote:
> On 08/14/2014 04:38 AM, jarek wrote:
> > I'm almost sure that the problem is with buggy pkcs11
> > lib, but I don't understand, why kadmin tries to access smart card when
> > it should use keytab only:
>
> My initial reading of the code is that it should only invoke the PKCS11
> module when it is actually doing PKINIT, so I'm not sure either.
I've seen this before - the server lists PKINIT support among the
preauth options, so the client attempts to generate a PK_AS_REQ.
The plugin gets as far as attempting to log in to the token, and then
segfaults in pkinit_login() when it attempts to call kinit's prompter
callback, which is NULL, to get the password for the token. Or it
crashes the same way in pkinit_get_certs_pkcs12() if it's been pointed
at an encrypted PKCS#12 bundle.
The responder changes that landed in 1.12 included changes to return a
failure code if the prompter is NULL, so this must be an older version.
HTH,
Nalin
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
