[2156] in Kerberos-V5-bugs
DCE/Kerberos V5/Kerberos V4 and AFS compatability and conversion
daemon@ATHENA.MIT.EDU (Doug Engert)
Fri Aug 16 11:10:15 1996
Date: Fri, 16 Aug 1996 10:09:32 -0500
From: Doug Engert <DEEngert@anl.gov>
To: Sean Mullan <mullan_s@apollo.hp.com>
Cc: authtf@es.net, info-dce@transarc.com, krb5-bugs@MIT.EDU
In-Reply-To: <199608161401.AA124304090@relay.hp.com>
Sean Mullan writes:
> Hi Doug,
>
> Thanks for taking the time to test this. You have definitely found a bug,
> which doesn't appear too difficult to fix. I will open an OT for this
> problem, and let you know what we can do about trying to get it in for DCE
> 1.2.2.
>
> Could you send me your test program?
>
> --Sean
The test program is attached.
--
While you are fixing the bug, is there anyway of adding some code which
if it saw the salt/pepper was of the form, "AFS:some-string" would use
the AFS string_to_key with the "some-string" as the salt?
The kerberos 5 beta 6 has a afsstring2key.c which is called from the
string2key.c if the salt is a -1. Looking at the DCE and K5b6 source
it looks like this would be a simple change to integrate this
routine into DCE. The Kerberos code could also be easily changed to
look for the AFS: as well as the length of -1. This would allow one
to copy the keys from AFS to DCE setting up the salt correctly. It
would not require any changes to the DCE registry or to a K5 KDC.
This would go a *LONG* way in making a conversion from AFS to DCE much
easier for many sites.
I would be more then willing to help test this.
--
Note that the cpwkey.c should also be able to be used to set the
cross-cell key to be used for cross cell authentication between a DCE
and a Kerberos K5 cell. Gary Grider <ggrider@c8-ibm.Lanl.GOV> is
trying to do this.
The program, cpwkey is attached. The options are:
-s the DCE site, defaults to the local cell
-u the principal name for which you want to change the password
-p Prompt for a password to use for this principal. The pepper
defaults to NULL which tells DCE to use the default pepper.
-k the des key to use. It is in the form of a octal string
in quotes to get by the shell. use on -p or -k not both.
The pepper defaults to "" which generates the zero length salt.
-P the pepper to use with this password. Overrids the above
pepper as set by -p or -k.
-v The key version number to use
-g The principal's group.
-o The principal's org.
For example, you could use the K5 krb5_edit to add a V4 key to the
K5 KDC using a password.
Then as a DCE cell-admin run:
cpwkey -p krbtgt/k5.realm.name -p -v 1
It will prompt for the password twice, and the cell_admin password.
Or you could add the password to the K5, and extract the key by
using the extract_srvtab or extract_v4_srvtab to a dummy file,
run od on it see the key, then:
cpwkey -p krbtgt/k5.realm.name -k "\340\256\375\222\345\375\367\051" -v 1
(BTW Thats the key for the password "dougtest")
--
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444 <New Area Code 8/3/96>
PGP Key fingerprint = 20 2B 0C 78 43 8A 9C A6 29 F7 A3 6D 5E 30 A6 7F
/*
* cpwkey.c - change a password, but set the salt/pepper to
* the NULL string. Also allow for a key to be used instead.
* This is useful when setting a cross-cell key
* or for adding a user's MIT string to key which was generated
* by our K4 mods.
*
* This is more of a proof of concept program then a production
* program.
*
* DEE 08/12/96
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <dce/sec_login.h>
#include <dce/dce_error.h>
#include <dce/binding.h>
#include <dce/passwd.h>
#ifdef DEBUG
#define DEEDEBUG(A) fprintf(stderr,A)
#define DEEDEBUG2(A,B) fprintf(stderr,A,B)
#else
#define DEEDEBUG(A)
#define DEEDEBUG2(A,B)
#endif
main(int argc, char *argv[])
{
extern int optind;
extern char *optarg;
int rv;
int i,j,k;
char *cp;
unsigned_char_t *dp;
error_status_t st;
int lst;
dce_error_string_t err_string;
char admin_pw[1025];
int admin_pw_size = 1024;
char new_pw[1025];
int new_pw_size = 1024;
/* set the defaults */
unsigned_char_t *site = "/.:";
sec_rgy_handle_t rcontext = NULL;
sec_rgy_login_name_t user_name;
sec_passwd_rec_t admin;
sec_passwd_rec_t user;
sec_passwd_version_t new_version;
/* set the defaults */
user.version_number = sec_passwd_c_version_none;
user.pepper = NULL;
user.key.key_type = sec_passwd_plain;
user.key.tagged_union.plain = NULL;
admin.version_number = sec_passwd_c_version_none;
admin.pepper = NULL;
admin.key.key_type = sec_passwd_plain;
admin.key.tagged_union.plain = NULL;
memset(user_name.pname,0,sizeof(user_name.pname));
memset(user_name.gname,0,sizeof(user_name.gname));
memset(user_name.oname,0,sizeof(user_name.oname));
strncpy(user_name.gname, "none", sec_rgy_name_t_size);
strncpy(user_name.oname, "none", sec_rgy_name_t_size);
while((rv = getopt(argc,argv,"c:u:pk:v:g:o:P:")) != -1) {
switch(rv) {
case 'c':
site = optarg;
break;
case 'u':
strncpy(user_name.pname,optarg,sec_rgy_name_t_size);
break;
case 'p':
krb5_read_password("New Password:", "New Password:",
new_pw, &new_pw_size);
user.key.tagged_union.plain = new_pw;
break;
case 'k':
cp = optarg;
dp = &user.key.tagged_union.des_key;
fprintf(stderr,"key:");
for (i=0;i<8;i++) {
if( *cp == '\\') {
cp++;
sscanf(cp,"%3o",&j);
*dp++ = j;
cp = cp+3;
fprintf(stderr,"\\%03.3o",j);
} else {
j = *cp++;
fprintf(stderr,"%c",j);
*dp++ = j;
}
}
fprintf(stderr,"\n");
user.pepper = "";
user.key.key_type = sec_passwd_des;
break;
case 'P':
user.pepper = optarg;
break;
case 'v':
user.version_number = atoi(optarg);
break;
case 'g':
strncpy(user_name.gname,optarg,sec_rgy_name_t_size);
break;
case 'o':
strncpy(user_name.oname,optarg,sec_rgy_name_t_size);
break;
case '?':
fprintf(stdout,"Error\n");
break;
}
}
krb5_read_password("Admin Password:", NULL,
admin_pw, &admin_pw_size);
admin.key.tagged_union.plain = admin_pw;
/* check for correct options, needs work */
if (!(user_name.pname[0]) ) {
printf("Required option, -u missing\n");
exit(1);
}
sec_rgy_site_open_update(site, &rcontext, &st);
if(st) {
dce_error_inq_text(st, err_string, &lst);
fprintf(stderr, "Error while binding to update site: %s : %s\n",
site,err_string);
exit(1);
}
fprintf (stderr,"calling sec_rgy_acct_passwd\n");
sec_rgy_acct_passwd(rcontext, &user_name,
&admin, &user, sec_passwd_des, &new_version, &st);
if(st) {
dce_error_inq_text(st, err_string, &lst);
fprintf(stderr, "Error while changing password for %s : %s\n",
&user_name.pname, err_string);
exit(1);
}
fprintf (stderr,"Finsihed\n");
}
