[2314] in Kerberos-V5-bugs
telnet/77: telnet Kerberos5 diagnostics are hardly clear, checksum confusion abounds
daemon@ATHENA.MIT.EDU (John Hawkinson)
Sun Oct 6 21:11:07 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: hartmans@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, John Hawkinson <jhawk@bbnplanet.com>
Date: Sun, 6 Oct 1996 21:10:31 -0400
From: John Hawkinson <jhawk@bbnplanet.com>
To: krb5-bugs@MIT.EDU
Note: There was a bad value `medium' for the field `>Severity:'.
It was set to the default value of `serious'.
>Number: 77
>Category: telnet
>Synopsis: telnet Kerberos5 diagnostics are hardly clear, checksum confusion abounds
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: hartmans
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct e 21:11:01 EDT 1996
>Last-Modified:
>Originator:
>Organization:
BBN Planet
>Release: beta-7
>Environment:
System: SunOS all-purpo 4.1.4 4 sun4m
Architecture: sun4
>Description:
The Beta 7 telnetd is very unclear about the fact that some of the errors
it notices come from the *daemon*, rather than the client.
I spent quite some time trying to debug my client saying
"Kerberos: checksum verification failed: Decrypt integrity check failed".
It turned out the "Kerberos: " part was from the client, but the rest
was from the telnetd.
Telnetd really needs to make it clear these errors come from it and
not from the client. Also, it should syslog them so the administrator
of the daemon's host can detect this condition (which could be concievably
be an attack...).
My patch includes a note explaining where one might want to modify the
code to remove checksum checking (ala klogind -i) if one wanted to
support such ancient telnet clients. Hopefully there won't be enough
demand that comitting such an option is necessary for the mainline MIT
kerberos release... [folks who feel differently and are reading this
bug report should probably pipe up]
>How-To-Repeat:
Err, spend all day debugging telnet problems with ancient codebases? ;-)
>Fix:
Here you go.
*** appl/telnet/libtelnet/kerberos5.c 1996/10/07 00:07:45 1.1
--- appl/telnet/libtelnet/kerberos5.c 1996/10/07 01:07:17 1.3
***************
*** 65,70 ****
--- 65,71 ----
#include "com_err.h"
#include <netdb.h>
#include <ctype.h>
+ #include <syslog.h>
#ifdef HAVE_STDLIB_H
#include <stdlib.h>
***************
*** 219,232 ****
if (!UserNameRequested) {
if (auth_debug_mode) {
! printf("Kerberos V5: no user name supplied\r\n");
}
return(0);
}
if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
! printf("Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
--- 220,235 ----
if (!UserNameRequested) {
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos V5: no user name supplied\r\n");
}
return(0);
}
if ((r = krb5_cc_default(telnet_context, &ccache))) {
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos V5: could not get default ccache\r\n");
}
return(0);
}
***************
*** 236,242 ****
"host", KRB5_NT_SRV_HST,
&creds.server))) {
if (auth_debug_mode)
! printf("Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
}
--- 239,245 ----
"host", KRB5_NT_SRV_HST,
&creds.server))) {
if (auth_debug_mode)
! printf("telnetd: Kerberos V5: error while constructing service name: %s\r\n", error_message(r));
return(0);
}
***************
*** 256,262 ****
if ((r = krb5_cc_get_principal(telnet_context, ccache,
&creds.client))) {
if (auth_debug_mode) {
! printf("Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
--- 259,266 ----
if ((r = krb5_cc_get_principal(telnet_context, ccache,
&creds.client))) {
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos V5: failure on principal (%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
***************
*** 267,273 ****
if ((r = krb5_get_credentials(telnet_context, 0,
ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
! printf("Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
--- 271,278 ----
if ((r = krb5_get_credentials(telnet_context, 0,
ccache, &creds, &new_creds))) {
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos V5: failure on credentials(%s)\r\n",
error_message(r));
}
krb5_free_cred_contents(telnet_context, &creds);
***************
*** 336,342 ****
krb5_free_creds(telnet_context, new_creds);
if (r) {
if (auth_debug_mode) {
! printf("Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
--- 341,347 ----
krb5_free_creds(telnet_context, new_creds);
if (r) {
if (auth_debug_mode) {
! printf("telnetd: Kerberos V5: mk_req failed (%s)\r\n",
error_message(r));
}
return(0);
***************
*** 344,359 ****
if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
! printf("Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
! printf("Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
! printf("Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
--- 349,365 ----
if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
if (auth_debug_mode)
! printf("telnetd: Not enough room for user name\r\n");
return(0);
}
if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
if (auth_debug_mode)
! printf(
! "telnetd: Not enough room for authentication data\r\n");
return(0);
}
if (auth_debug_mode) {
! printf("telnetd: Sent Kerberos V5 credentials to server\r\n");
}
return(1);
}
***************
*** 452,457 ****
--- 458,472 ----
cksum->checksum_type, cksum,
&type_check, 2, key->contents,
key->length);
+ /*
+ * Note that krb5_verify_checksum() will fail if a pre-
+ * MIT Kerberos Beta 6 client is attempting to connect
+ * to this server (Beta 7 or later). There is not way to
+ * fix this without compromising encryption. It would be
+ * reasonable to add a -i option to telnetd to ignore
+ * checksums (like in klogind). Such an option is not
+ * present at this time.
+ */
if (r) {
(void) strcpy(errbuf,
"checksum verification failed: ");
***************
*** 478,484 ****
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
! printf("Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
--- 493,500 ----
name = 0;
Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
if (auth_debug_mode) {
! printf(
! "telnetd: Kerberos5 identifies him as ``%s''\r\n",
name ? name : "");
}
auth_finished(ap, AUTH_USER);
***************
*** 522,547 ****
(void) strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf("Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
! printf("Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
! printf("Unknown Kerberos option %d\r\n", data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
return;
errout:
! Data(ap, KRB_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf("%s\r\n", errbuf);
if (auth_context) {
krb5_auth_con_free(telnet_context, auth_context);
auth_context = 0;
--- 538,572 ----
(void) strcat(errbuf, error_message(r));
Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
if (auth_debug_mode)
! printf(
! "telnetd: Could not read forwarded credentials\r\n");
}
else
Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
if (auth_debug_mode)
! printf("telnetd: Forwarded credentials obtained\r\n");
break;
#endif /* FORWARD */
default:
if (auth_debug_mode)
! printf("telnetd: Unknown Kerberos option %d\r\n",
! data[-1]);
Data(ap, KRB_REJECT, 0, 0);
break;
}
return;
errout:
! {
! char eerrbuf[128+9];
!
! strcpy(eerrbuf, "telnetd: ");
! strcat(eerrbuf, errbuf);
! Data(ap, KRB_REJECT, eerrbuf, -1);
! }
if (auth_debug_mode)
! printf("telnetd: %s\r\n", errbuf);
! syslog(LOG_ERR, "%s", errbuf);
if (auth_context) {
krb5_auth_con_free(telnet_context, auth_context);
auth_context = 0;
>Audit-Trail:
>Unformatted:
