[1581] in Kerberos-V5-bugs
Kerberos 5 Beta 5 Interoperability with DCE
daemon@ATHENA.MIT.EDU (Doug Engert)
Thu Aug 3 16:50:22 1995
Date: Thu, 03 Aug 95 15:49:40 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <KRB5-BUGS@MIT.EDU>
The following bugs were found with the Kerberos 5 beta 5 code
while testing the forwarding of tickets within a realm, and
with cross-realm authentication.
I have been able cross-realm authenticate using 3 DCE cells
as the kerberos KDCs. One was DCE 1.1 the others were at DCE 1.0.3a.
I can forward a kerberos ticket within the same realm and use it
to get a DCE context. (Forwarding a ticket cross-realm and getting
a DCE context is still a problem, DCE is missing the equivalent
mapping which is performed by the .k5login file or aname table.)
Diff files are attached.
./appl/bsd/forward.c:
The scratch and addrs need to be set to zero. Under some conditions
there are not set, but used in a free operation.
./lib/krb5/krb/rd_req_dec.c:
The lrealm.length = strlen(lrealm.data);
statement need to me moved after the
krb5_get_default_realm(context, &(lrealm.data));
which sets the realm. With out this I got a segmentation fault in
strlen which getting ready to check the transited field.
./lib/krb5/ccache/file/fcc.h
For compatibility with DCE 1.0.3, if Kerberos creates a type 1 cache
it makes life easier, especially when forwarding a ticket and using
it to get a DCE context. (This is not strictly a bug, so I have
added an ifdef around the code.)
./lib/krb5/ccache/file/fcc_read.c
If reading a type 1 cache (DCE 1.0.3a) if the keyblock->etype
is only set to ETYPE_UNKNOWN there is a problem in code later
in mk_cred. Rather the fail, an attempt to set a
reasonable value would be better. ( I know a type 3 does not
have this problem, but DCE 1.0.3a uses the type 1, and DCE 1.1
uses the type 2. Maybe DCE 1.2 with use type 3.)
./lib/krb5/krb/walk_rtree.c
I found a problem with the last set of modifications I sent in on this
routine. These were the Configurable Authentication Path Modifications.
I failed to increment the link count before the malloc, and decrement
it afterwards. This left off the null terminator on the list of tgts.
The Configurable Authentication Path Modifications allows for non-
hierarchical cross-realm authentication by supplying the list of realms
to be used for authentication in the [capath] section in the krb5.conf
file.
I did not provide the diff for this file, but it can be found at
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k55.cdiff.950803 which
is a complete set of diffs for all of the changes I have made to date,
including many which have been reported by others to this list.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
------------------------------------------------------------
*** ./appl/bsd/,forward.c Tue Apr 25 21:51:15 1995
--- ./appl/bsd/forward.c Thu Jul 20 13:02:31 1995
***************
*** 93,101 ****
krb5_data *out_buf;
{
krb5_replay_data replaydata;
! krb5_data * scratch;
struct hostent *hp;
! krb5_address **addrs;
krb5_error_code retval;
krb5_creds tgt, creds, *pcreds;
krb5_ccache cc;
--- 93,101 ----
krb5_data *out_buf;
{
krb5_replay_data replaydata;
! krb5_data * scratch = 0;
struct hostent *hp;
! krb5_address **addrs = 0;
krb5_error_code retval;
krb5_creds tgt, creds, *pcreds;
krb5_ccache cc;
*** ./lib/krb5/krb/,rd_req_dec.c Thu Apr 13 19:54:52 1995
--- ./lib/krb5/krb/rd_req_dec.c Wed Aug 2 10:06:32 1995
***************
*** 196,203 ****
* and the local realm.
*/
if (trans->tr_contents.data && trans->tr_contents.data[0]) {
- lrealm.length = strlen(lrealm.data);
krb5_get_default_realm(context, &(lrealm.data));
retval = krb5_check_transited_list(context, &(trans->tr_contents),
realm, &lrealm);
free(lrealm.data);
--- 196,203 ----
* and the local realm.
*/
if (trans->tr_contents.data && trans->tr_contents.data[0]) {
krb5_get_default_realm(context, &(lrealm.data));
+ lrealm.length = strlen(lrealm.data);
retval = krb5_check_transited_list(context, &(trans->tr_contents),
realm, &lrealm);
free(lrealm.data);
*** ./lib/krb5/ccache/file/,fcc.h Wed Mar 22 16:35:40 1995
--- ./lib/krb5/ccache/file/fcc.h Tue Jul 11 07:10:36 1995
***************
*** 56,62 ****
--- 56,74 ----
#define KRB5_FCC_FVNO_2 0x0502 /* krb5 v5, fcc v2 */
#define KRB5_FCC_FVNO_3 0x0503 /* krb5 v5, fcc v3 */
+ /* DCE 1.0.3 only understands version 1
+ * DCE 1.1 understands version 1 and 2
+ * for DCE compatability, and the ability to read
+ * a forwarded ticket, we need to save the forwarded
+ * ticket in a version 1 file
+ * Use a define, since this is none standard Kerberos
+ * DEE - ANL 07/11/95
+ */
+ #ifdef ANL_DCE
+ #define KRB5_FCC_DEFAULT_FVNO KRB5_FCC_FVNO_1
+ #else
#define KRB5_FCC_DEFAULT_FVNO KRB5_FCC_FVNO_3
+ #endif
*** ./lib/krb5/ccache/file/,fcc_read.c Thu Apr 13 19:52:08 1995
--- ./lib/krb5/ccache/file/fcc_read.c Thu Jul 20 14:41:15 1995
***************
*** 208,214 ****
CHECK(kret);
if ((data->version == KRB5_FCC_FVNO_1) ||
(data->version == KRB5_FCC_FVNO_2))
! keyblock->etype = ETYPE_UNKNOWN;
else {
kret = krb5_fcc_read_ui_2(context, id, &ui2);
keyblock->etype = ui2;
--- 208,225 ----
CHECK(kret);
if ((data->version == KRB5_FCC_FVNO_1) ||
(data->version == KRB5_FCC_FVNO_2))
! {
! /* We need to guess at the etype based on the keytype
! * if we mk_cred to work with a cached forwarded
! * credential in a DCE compatable cache */
! keyblock->etype = ETYPE_UNKNOWN;
! if (valid_keytype(keyblock->keytype)) {
! keyblock->etype = krb5_keytype_array[keyblock->keytype]
! ->system->proto_enctype;
! if (!valid_etype(keyblock->etype))
! keyblock->etype = ETYPE_UNKNOWN;
! }
! }
else {
kret = krb5_fcc_read_ui_2(context, id, &ui2);
keyblock->etype = ui2;
