[3089] in Kerberos-V5-bugs
krb5-libs/730: new kinit and h/w preauth
daemon@ATHENA.MIT.EDU (Chas Williams)
Sun Jun 27 15:38:05 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, chas@cmf.nrl.navy.mil
Message-Id: <199906271937.PAA01189@fermi.cmf.nrl.navy.mil>
Date: Sun, 27 Jun 1999 15:37:15 -0400
From: Chas Williams <chas@cmf.nrl.navy.mil>
Reply-To: chas@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Cc: kenh@cmf.nrl.navy.mil
>Number: 730
>Category: krb5-libs
>Synopsis: h/w preauth seems broken in krb5_get_init_creds_password
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Jun 27 15:38:01 EDT 1999
>Last-Modified:
>Originator: Chas Williams
>Organization:
Naval Research Laboratory, Washington, DC
>Release: krb5-current-19990626
>Environment:
System: SunOS fermi 5.6 Generic_105181-11 sun4d sparc SUNW,SPARCserver-1000
Architecture: sun4
>Description:
attempting to use the new kinit (using the krb5_get_init_creds_password
routine) to get a ticket and my principal has the requires hwauth
flag set, i fail to get a ticket with the error message, 'Bad password'
% ./kinit
CryptoCard RB-1
Press ENTER and compare this challenge to the one on your display
Challenge is [42058226], Enter the displayed response: 86566993
kinit: Password incorrect
note, that it DIDNT actually prompt me for a password. it just
said, bad password. if a give a bad response to the challenge
i get back 'preauth failed' which is correct
>How-To-Repeat:
see above.
>Fix:
apparently, the problems lies in gic_pwd.c (but i am not an
expert on this code, so this is mostly a guess)
near the beginning of krb5_get_as_key_password(), we see:
/* if there's already a key of the correct etype, we're done.
if the etype is wrong, free the existing key, and make
a new one. */
if (as_key->length) {
if (as_key->enctype == etype)
return 0;
krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;
}
after the hw preauth exchanges, as_key->enctype = etype
but i havent been asked for my password, and since this
routine is the one that does that job, this function shouldnt
return 0 at this point, it should continue (w/o hw preauth
as_key->length = 0 i believe and this code isnt triggered)
i 'fixed' it changing it to:
if (as_key->length) {
if (as_key->enctype != etype) {
krb5_free_keyblock_contents(context, as_key);
as_key->length = 0;
}
}
after this change, kinit asks for my password after the preauth
exchange and i am able to get a ticket. this change doesnt seem to
bother principals not using h/w preauth.
on a side note, i dont think it should display my response to
the challenge, i suspect the hidden flag isnt being set.
>Audit-Trail:
>Unformatted:
