[2994] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

telnet/656: telnet does not check for remote subkey during authentication

daemon@ATHENA.MIT.EDU (fcusack@iconnet.net)
Fri Nov 6 17:59:04 1998

Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: hartmans@MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, fcusack@iconnet.net
Date: Fri, 6 Nov 1998 17:49:18 -0500 (EST)
From: fcusack@iconnet.net
Reply-To: fcusack@iconnet.net
To: krb5-bugs@MIT.EDU


>Number:         656
>Category:       telnet
>Synopsis:       telnet does not check for remote subkey during authentication
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    hartmans
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Fri Nov 06 17:49:00 EST 1998
>Last-Modified:
>Originator:     Frank Cusack
>Organization:
Icon CMT Corp.
>Release:        krb5-current-19981012
>Environment:
N/A
System: SunOS ratbert 5.6 Generic_105181-09 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

>Description:
	telnet client always uses local subkey as the encryption key
	[for encrypted telnet sessions]. However, if the remote side
	sends back it's own subkey, it should use that instead. Not
	a problem against MIT telnetd, since the remote subkey is
	always identical to the local, but other telnetd's may not
	do the same thing.
>How-To-Repeat:
	I don't know of any telnetd's that actually do this, the problem
	is not one that I have seen in actual use.
>Fix:
diff -u -r1.1.1.1 kerberos5.c
--- kerberos5.c	1998/10/14 00:47:33	1.1.1.1
+++ kerberos5.c	1998/11/06 22:33:24
@@ -319,22 +319,26 @@
 	}
 
 	if (newkey) {
+	    /*
+	     * XXX code previously was here to check enctype of subkey.
+	     * Not needed - subkey will have same type as session key.
+	     * [Assuming MIT libraries]
+	     * This limits session key enctypes to DES for now.
+	     */
 	    /* keep the key in our private storage, but don't use it
 	       yet---see kerberos5_reply() below */
-	    if ((newkey->enctype != ENCTYPE_DES_CBC_CRC) &&
-		(newkey-> enctype != ENCTYPE_DES_CBC_MD5)) {
-		if ((new_creds->keyblock.enctype == ENCTYPE_DES_CBC_CRC) ||
-		    (new_creds->keyblock.enctype == ENCTYPE_DES_CBC_MD5))
-		    /* use the session key in credentials instead */
-		    krb5_copy_keyblock(telnet_context,&new_creds->keyblock,
-				       &session_key);
-		else
-		    /* XXX ? */;
-	    } else {
-		krb5_copy_keyblock(telnet_context, newkey, &session_key);
-	    }
+	    krb5_copy_keyblock(telnet_context, newkey, &session_key);
 	    krb5_free_keyblock(telnet_context, newkey);
+	} else {
+	    /* XXX Should we just continue with the session key? */
+	    krb5_free_cred_contents(telnet_context, &creds);
+	    krb5_free_creds(telnet_context, new_creds);
+	    if (auth_debug_mode) {
+		printf("telnet: Kerberos V5: mk_req did not generate a subkey!\r\n");
+	    }
+	    return (0);
 	}
+
 #endif	/* ENCRYPTION */
 	krb5_free_cred_contents(telnet_context, &creds);
 	krb5_free_creds(telnet_context, new_creds);
@@ -581,6 +585,7 @@
 {
 #ifdef ENCRYPTION
         Session_Key skey;
+	krb5_keyblock *newkey = 0;
 #endif
 	static int mutual_complete = 0;
 
@@ -612,7 +617,8 @@
 #endif	/* ENCRYPTION */
 		}
 		if (cnt)
-		    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
+		    printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n",
+			   cnt, data);
 		else
 		    printf("[ Kerberos V5 accepts you ]\r\n");
 		auth_finished(ap, AUTH_USER);
@@ -639,13 +645,38 @@
 			return;
 		    }
 		    krb5_free_ap_rep_enc_part(telnet_context, reply);
+
 #ifdef	ENCRYPTION
+
+		    /* Use remote subkey if one was returned */
+		    krb5_auth_con_getremotesubkey(telnet_context,
+						  auth_context,
+						  &newkey);
+
+		    if (newkey) {
+			if (session_key) {
+			    krb5_free_keyblock(telnet_context, session_key);
+			    session_key = 0;
+			}
+			if ((newkey->enctype != ENCTYPE_DES_CBC_CRC) &&
+			    (newkey->enctype != ENCTYPE_DES_CBC_MD5)) {
+			    printf("[ Telnet Encryption failed: remote subkey enctype unknown (%d) ]\r\n",
+				   newkey->enctype);
+			    krb5_free_keyblock(telnet_context, newkey);
+			    return;
+			} else {
+			    krb5_copy_keyblock(telnet_context, newkey,
+					       &session_key);
+	    	        }
+		        krb5_free_keyblock(telnet_context, newkey);
+		    }
+
 		    if (session_key) {
 			skey.type = SK_DES;
 			skey.length = 8;
 			skey.data = session_key->contents;
 			encrypt_session_key(&skey, 0);
-		      }
+		    }
 #endif	/* ENCRYPTION */
 		    mutual_complete = 1;
 		}
>Audit-Trail:
>Unformatted:
home help back first fref pref prev next nref lref last post