[1100] in Kerberos-V5-bugs
Copy of X11R6 bug report:
daemon@ATHENA.MIT.EDU (Jonathan Stone)
Wed Feb 22 07:44:45 1995
Date: Wed, 22 Feb 1995 04:44:34 -0800
From: Jonathan Stone <jonathan@Gregorio.Stanford.EDU>
To: krb5-bugs@MIT.EDU
This is in the nature of a ``comment''. I'd appreciate any feedback on
the quality of the attached fix that you find time to make.
In particular I don't understand the difference between
KRB5_PADATA_ENC_TIMESTAMP, and KRB5_PADATA_ENC_UNIX_TIME.
The former seems to be referenced only kadmin/client/kadmin.c,
and kadmin/kpasswd/kpasswd.c; and those are only in initializers
for preauthentication structures.
Is KRB5_PADATA_TIMESTAMP defunct?
---------
To: xbugs@x.org
VERSION:
R6, public-patch-11
CLIENT MACHINE and OPERATING SYSTEM:
Sparc/SunOS 4.1.2, Sparc/SunOS 4.1.3_u1
DISPLAY TYPE:
not relevant (cg3, cg6)
WINDOW MANAGER:
irrelevant (twm)
COMPILER:
gcc 2.6.3
AREA:
xdm
SYNOPSIS:
The kinit-derived code in xdm/krb5auth.c is out-dated, and doesn't
even compile with krb5 beta4 patchlevel3. A sample fix for that is
included below.
Even when obvious fixes are applied, the resulting xdm does
not work properly if both K5AUTH and SECURE_RPC are both
defined, and quite possibly never did.
Even with a carefully-scrutinized, working, debugged krb5
installation, and obvious fixes like changing the names of
preprocessor marcos to the krb5 beta4 patchlevel 3 equivalents, xdm is
completely unable to get a tgt. A sample fix for that is also
included below.
DESCRIPTION:
Passwords of more than 8 characters are being be truncated inside
XDM before they are ever presented to the kerberos library.
The root cause of this bug is that code inside #ifdef SECURE_RPC is
truncating passwords given to xdm by a trusting user to 8
characters. I claim that such truncation is simply, unarugably wrong,
when applied to passwords for Kerberos principals.
The following patch, which of course SHOULD NOT be applied,
shows this conclusively:
*** krb5auth.c.DIST Sun Apr 17 17:03:40 1994
--- krb5auth.c Wed Feb 22 04:17:40 1995
***************
*** 253,260 ****
char *my_name = NULL;
int code2 = krb5_unparse_name(me, &my_name);
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
! LogError ("password incorrect for Krb5 principal \"%s\"\n",
! code2 ? name : my_name);
}
else
LogError("%s while getting initial Krb5 credentials for \"%s\"\n",
--- 260,267 ----
char *my_name = NULL;
int code2 = krb5_unparse_name(me, &my_name);
if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) {
! LogError ("password ]%s[ incorrect for Krb5 principal \"%s\"\n",
! passwd, code2 ? name : my_name);
}
else
LogError("%s while getting initial Krb5 credentials for \"%s\"\n",
REPEAT BY:
Install krb5 pl4 beta3. Build X11R6pl11 on a Sun running SuOS
4.1.3. Ensure that both SECURE_RPC and K5AUTH are defined. Create a
principal in the Kerberos database. Verify that you can obtain a
ticket-granting ticket for that principal using krb5 kinit. Observe
that xdm is unable to get any ticket for that (or any other)
principal even when given the correct password.
SAMPLE FIX:
I fixed the password-truncation bug by having the SECURE_RPC
authentication code take a local copy of the password and truncate
the copy.
From perusing the source, xdm's krb5 authentication code is lifted out
of kinit. It seems very likely that krb5's kinit has been updated
since, and xdm's krb5auth.c hasn't tracked those changes. I tweaked
on krb5auth.c to make compile again. Whilst doing so I changed the
code to get a forwardable ticket. IT's debatable, but that seems like
the `right' thing to do.
I have tested these changes with krb5 and they do indeed
result in xdm getting a a ticket. I have not tested
SECURE_RPC authentication with this change.
If I can make a request, it would be really, really nice to have
the maximum krb5 ticket lifetime, and I suppose forwardable
and proxiable tickets, be command-line and/or resource-file
options for xdm.
*** krb5auth.c.DIST Sun Apr 17 17:03:40 1994
--- krb5auth.c Wed Feb 22 04:17:40 1995
***************
*** 1,4 ****
! /* $XConsortium: krb5auth.c,v 1.4 94/04/17 20:03:40 gildea Exp $ */
/*
Copyright (c) 1994 X Consortium
--- 1,4 ----
! /* $XConsortium: krb5auth.c,v 1.4 94/04/17 20:03:40 gildea DSG-HACK $ */
/*
Copyright (c) 1994 X Consortium
***************
*** 154,162 ****
return Krb5GetAuthFor(namelen, name, NULL);
}
int preauth_search_list[] = {
0,
! KRB5_PADATA_ENC_TIMESTAMP,
-1
};
--- 154,169 ----
return Krb5GetAuthFor(namelen, name, NULL);
}
+ krb5_data tgtname = {
+ 0,
+ KRB5_TGS_NAME_SIZE,
+ KRB5_TGS_NAME
+ };
+
int preauth_search_list[] = {
0,
! /*KRB5_PADATA_ENC_TIMESTAMP,*/
! KRB5_PADATA_ENC_UNIX_TIME,
-1
};
***************
*** 206,212 ****
if (code = krb5_build_principal_ext(&server,
krb5_princ_realm(me)->length,
krb5_princ_realm(me)->data,
! 6, "krbtgt",
krb5_princ_realm(me)->length,
krb5_princ_realm(me)->data,
0)) {
--- 213,219 ----
if (code = krb5_build_principal_ext(&server,
krb5_princ_realm(me)->length,
krb5_princ_realm(me)->data,
! tgtname.length, tgtname.data,
krb5_princ_realm(me)->length,
krb5_princ_realm(me)->data,
0)) {
***************
*** 234,240 ****
my_creds.times.renew_till = 0;
for (i = 0; preauth_search_list[i] >= 0; i++) {
! code = krb5_get_in_tkt_with_password(0, my_addresses,
preauth_search_list[i],
ETYPE_DES_CBC_CRC,
KEYTYPE_DES,
--- 241,247 ----
my_creds.times.renew_till = 0;
for (i = 0; preauth_search_list[i] >= 0; i++) {
! code = krb5_get_in_tkt_with_password(KDC_OPT_FORWARDABLE, my_addresses,
preauth_search_list[i],
ETYPE_DES_CBC_CRC,
KEYTYPE_DES,
***************
*** 241,247 ****
passwd,
ccache,
&my_creds, 0);
! if (code != KRB5KDC_PREAUTH_FAILED &&
code != KRB5KRB_ERR_GENERIC)
break;
}
--- 248,254 ----
passwd,
ccache,
&my_creds, 0);
! if (code != KRB5KDC_ERR_PREAUTH_FAILED &&
code != KRB5KRB_ERR_GENERIC)
break;
}
*** /tmp/RCSAa01925 Wed Feb 22 04:21:58 1995
--- session.c Wed Feb 22 04:20:36 1995
***************
*** 1,4 ****
! /* $XConsortium: session.c,v 1.72 94/04/17 20:03:45 gildea Exp $ */
/*
Copyright (c) 1988 X Consortium
--- 1,4 ----
! /* $XConsortium: session.c,v 1.72 94/04/17 20:03:45 gildea DSG-HACK $ */
/*
Copyright (c) 1988 X Consortium
***************
*** 566,578 ****
int nameret, keyret;
int len;
int key_set_ok = 0;
nameret = getnetname (netname);
Debug ("User netname: %s\n", netname);
! len = strlen (passwd);
if (len > 8)
! bzero (passwd + 8, len - 8);
! keyret = getsecretkey(netname,secretkey,passwd);
Debug ("getsecretkey returns %d, key length %d\n",
keyret, strlen (secretkey));
/* is there a key, and do we have the right password? */
--- 566,581 ----
int nameret, keyret;
int len;
int key_set_ok = 0;
+ char tempw[128]; /* don't change key till KRB5 done also */
nameret = getnetname (netname);
Debug ("User netname: %s\n", netname);
! strncpy(tempw, passwd, 128);
! len = strlen (tempw);
if (len > 8)
! bzero (tempw + 8, len - 8);
! keyret = getsecretkey(netname,secretkey,tempw);
! bzero(tempw, strlen(tempw));
Debug ("getsecretkey returns %d, key length %d\n",
keyret, strlen (secretkey));
/* is there a key, and do we have the right password? */
