[2842] in Kerberos-V5-bugs
krb5-kdc/514: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
daemon@ATHENA.MIT.EDU (tlyu@MIT.EDU)
Fri Dec 12 19:12:39 1997
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, tlyu@MIT.EDU
Date: Fri, 12 Dec 1997 19:11:24 -0500
From: tlyu@MIT.EDU
Reply-To: tlyu@MIT.EDU
To: krb5-bugs@MIT.EDU
>Number: 514
>Category: krb5-kdc
>Synopsis: KDC doesn't notice issuing of krb4 in_tkt w/o krb4 salt
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Dec 12 19:12:01 EST 1997
>Last-Modified:
>Originator: Tom Yu
>Organization:
mit
>Release: 1.0-development
>Environment:
System: SunOS tesla-coil 5.5.1 Generic_103640-12 sun4m sparc SUNW,SPARCstation-4
Architecture: sun4
>Description:
The KDC, when operating in krb4 compat mode, fails to notice
that a key with a krb4 salt doesn't exist for a principal if it also
has another key that is DES_CBC_CRC but of a different salt. This can
cause quite a bit of confusion with initial tickets.
>How-To-Repeat:
Attempt to get an initial ticket for a principal that has a
DES_CBC_CRC key but without a krb4 salt.
>Fix:
The code in kerb_get_principal needs to have some additional
logic, probably an extra argument in the call chain leading up to it,
in order to discover whether it is servicing an initial ticket request
or not. It is probably safe to issue a service ticket for a principal
having a DES_CBC_CRC key with the wrong salt, as that never needs to
have a key derived from a password. I haven't had time to actually
write up a patch yet but this is to remind myself to do so.
>Audit-Trail:
>Unformatted:
