[2578] in Kerberos-V5-bugs
pending/295: 5.5 - 5.7 ticket forwarding compatibility broken
daemon@ATHENA.MIT.EDU (Brian Reitz)
Thu Dec 12 09:21:18 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, Brian Reitz <bdr@cray.com>
Date: Thu, 12 Dec 1996 08:20:01 -0600 (CST)
From: Brian Reitz <bdr@cray.com>
To: krb5-bugs@MIT.EDU
>Number: 295
>Category: pending
>Synopsis: 5.5 - 5.7 ticket forwarding compatibility broken
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Dec 12 09:21:01 EST 1996
>Last-Modified:
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:
>Unformatted:
When using the bsd login utils to forward tickets there is a backwards
compatibility issue with older (pre 5.6) clients attempting to talk to
5.6 or 5.7 servers.
The problem is that in 5.5 the fowarded ticket did not include a local
or a remote address in the cred ( the s_address and r_address fields in a
krb5_cred_enc_part structure). The 5.6 and 5.7 versions of the ticket
forwarding code do fill in these addrs.
The 5.6 or 5.7 krb5_rd_cred_basic() routine expects to have a s_address as
part of the encrypted message. The asn1 code can deal with the fact that
this addr is not filled in, but krb5_rd_cred_basic() can not and will SEGV
on a 6.2 IRIX box. I can only assume that it will not do anything good on
other platforms as well.
The fix is to lib/krb5/krb/rd_cred.c and looks like this:
*** /build/bdr/krb5build/src/lib/krb5/krb/rd_cred.c Tue Nov 19 00:31:49 199
6
--- rd_cred.c Tue Dec 3 22:09:46 1996
***************
*** 106,112 ****
* an init_sec_context message, skip over this check.
*/
if (pkeyblock != NULL) {
! if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup_cred;
}
--- 106,113 ----
* an init_sec_context message, skip over this check.
*/
if (pkeyblock != NULL) {
! if (remote_addr && encpart.s_address &&
! !krb5_address_compare(context, remote_addr, encpart.s_address)) {
retval = KRB5KRB_AP_ERR_BADADDR;
goto cleanup_cred;
}
This is only an issue if you are trying to run 5.6 or later servers
(klogind for example) and wish to provide service to pre 5.6 clients
(a 5.5 klogin for example) and allow them to forward tickets.
------------------------------------------------------------------------------
Brian Reitz voice: (612) 683-5092
Cray Research (A Silicon Graphics Company) email: bdr@cray.com
655F Lone Oak Drive
Eagan, MN, 55121, USA
------------------------------------------------------------------------------