[2304] in Kerberos-V5-bugs
krb5-kdc/68: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
daemon@ATHENA.MIT.EDU (John Hawkinson)
Sun Oct 6 02:04:09 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, John Hawkinson <jhawk@bbnplanet.com>
Date: Sun, 6 Oct 1996 02:03:54 -0400
From: John Hawkinson <jhawk@bbnplanet.com>
To: krb5-bugs@MIT.EDU
>Number: 68
>Category: krb5-kdc
>Synopsis: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct e 02:04:01 EDT 1996
>Last-Modified:
>Originator: John Hawkinson
>Organization:
BBN Planet
>Release: 1.0-development
>Environment:
System: NetBSD lola-granola 1.1B NetBSD 1.1B (LOLA) #2: Thu Jul 11 00:13:13 EDT 1996 mycroft@zygorthian-space-raiders:/afs/sipb.mit.edu/project/netbsd/dev/current-source/build/i386_nbsd1/sys/arch/i386/compile/LOLA i386
Bug is also present in beta-7.
>Description:
(This PR is "critical" because it is a protocol bug.)
Attempting to obtain a ticket from the KDC with PA-ENCTIMESTAMP
preauthentication fails. RFC1510 requires this option to either
be implemented or ignored if not implemented. The current kdc
instead rejects it.
>How-To-Repeat:
Attempt to obtain tickets from IOS with "kerberos preauthenticate
encrypted-unix-timestamp" set. Watch it fail. The kdc logs:
Oct 6 01:44:03 liam-gw syslog: AS_REQ 199.94.220.6(88): PREAUTH_FAILED: test@BBNPLANET.NET for krbtgt/BBNPLANET.NET@BBNPLANET.NET, Preauthentication failed
This violates RFC1510 Section 9.1 subsection "Pre-authentication methods",
on [Page 86], which states:
The TGS-REQ method must be supported. The TGS-REQ method is not used
on the initial request. The PA-ENC-TIMESTAMP method must be supported
by clients but whether it is enabled by default may be determined on
a realm by realm basis. If not used in the initial request and the
error KDC_ERR_PREAUTH_REQUIRED is returned specifying PA-ENCTIMESTAMP
as an acceptable method, the client should retry the initial request
using the PA-ENC-TIMESTAMP preauthentication method. SERVERS NEED NOT
SUPPORT THE paenc-timestamp METHOD, BUT IF NOT SUPPORTED THE SERVER
SHOULD IGNORE THE PRESENCE OF pa-enc-timestamp PRE-AUTHENTICATION IN
A REQUEST. [Emphasis mine]
>Fix:
The right fix is for the kdc to support PA-ENC-TIMESTAMP (it would be
nice for the clients to support it, too). This is not too hard.
The easy (short-term) solution is for the server to ignore the option.
>Audit-Trail:
>Unformatted:
