[2944] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

pending/613: AFS key incorrect with passwords longer than eight characters

daemon@ATHENA.MIT.EDU (Kevin Coffman)
Tue Jun 23 10:39:53 1998

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, Kevin Coffman <kwc@citi.umich.edu>
Date: Tue, 23 Jun 98 10:31:46 -0400
From: Kevin Coffman <kwc@citi.umich.edu>
To: krb5-bugs@MIT.EDU
Cc: kwc@citi.umich.edu


>Number:         613
>Category:       pending
>Synopsis:       AFS key incorrect with passwords longer than eight characters
>Confidential:   yes
>Severity:       serious
>Priority:       medium
>Responsible:    gnats-admin
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Tue Jun 23 10:33:00 EDT 1998
>Last-Modified:
>Originator:     Operator
>Organization:
        University of Michigan
        Center for Information Technology Integration
>Release:        krb5-1.0.5
>Environment:
        Using K5 and fakeka as AFS authentication.
System: SunOS babble.citi.umich.edu 4.1.2 4 sun4c
Architecture: sun4

>Description:
        The mit_afs_string_to_key() routine expects salt data (realm
        name) to be null-terminated when passwords are longer than
        eight characters.  Routine add_key_pwd() in lib/kdb/kdb_cpw.c
        does not pass in a null-terminated string.  Garbage at the
        end of the salt is used to produce the AFS key.
>How-To-Repeat:
        Change a user's password with K4 kpasswd, K5 kpasswd, or kadmin.
        User cannot authenticate using klog/fakeka because the AFS key
        in the database is incorrect.
>Fix:
        I applied the following change to lib/kdb/kdb_cpw.c to terminate
        the realm name passed in as the salt value for AFS keys:

Index: kdb_cpw.c
===================================================================
RCS file: /usr/um/src/krb5/krb5-1.0.5UM/src/lib/kdb/kdb_cpw.c,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -r1.1.1.1 -r1.2
395a396,397
>           char * terminated_string;
>
399d400
<
400a402,417
>           /*
>            * The krb5_string_to_key function expects a null-terminated realm
>            * name.  Re-allocate storage with room for a terminator and
>            * terminate the string.
>            */
>           if ((terminated_string = malloc(key_salt.data.length + 1)) == NULL)
>           {
>               if (key_salt.data.data)
>                   free(key_salt.data.data);
>               krb5_xfree(saltdata);
>               return(ENOMEM);
>           }
>           memcpy(terminated_string, key_salt.data.data, key_salt.data.length);
>           terminated_string[key_salt.data.length] = '\0';
>           free(key_salt.data.data);
>           key_salt.data.data = terminated_string;

>Audit-Trail:
>Unformatted:
        no
        AFS key incorrect with passwords longer than eight characters
        serious
        high
        krb5-libs
        sw-bug
home help back first fref pref prev next nref lref last post