[3106] in Kerberos-V5-bugs
pending/747: pa_sam() KRB5_SAM_SEND_ENCRYPTED_SAD doesnt work in 1.1 beta
daemon@ATHENA.MIT.EDU (Chas Williams)
Thu Sep 2 19:10:12 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: gnats-admin@rt-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, chas@cmf.nrl.navy.mil
Message-Id: <199909022309.QAA06190@borg.cmf.nrl.navy.mil>
Date: Thu, 2 Sep 1999 16:09:37 -0700 (PDT)
From: Chas Williams <chas@cmf.nrl.navy.mil>
Reply-To: chas@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Cc: kenh@cmf.nrl.navy.mil
>Number: 747
>Category: pending
>Synopsis: pa_sam()'s KRB5_SAM_SEND_ENCRYPTED_SAD doesnt ask for password
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 02 19:10:00 EDT 1999
>Last-Modified:
>Originator: Chas Williams
>Organization:
hardly any, ask ken
>Release: 1.1beta
>Environment:
System: IRIX borg 6.5 04151556 IP22
>Description:
when using securid as a h/w preauth method i see the
following behavior:
% ./kinit chas@WES.HPC.MIL
SAM Authentication
Challenge for Security Dynamics mechanism
SecurID Passcode:
kinit: Bad encryption type while getting initial credentials
%
note that it never actually asked for my password.
the problem seems to be in the following from krb5/krb5/preauth2.c
enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
enc_sam_response_enc.sam_passcode = response_data;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
note that it never asks for my password to use as a key
or even encrypts the preauth response.
>How-To-Repeat:
(see above, but you need a h/w preauth method that uses
KRB5_SAM_SEND_ENCRYPTED_SAD)
>Fix:
a previous fix from another site, was to do the following:
if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
/*
* We need to use the password as part or all of the key.
* If as_key contains info, it should be the users pass phrase.
* If not, get the password before issuing the challenge.
*/
if (as_key->length == 0) {
if (ret = ((*gak_fct)(context, request->client,
request->ktype[0], prompter, prompter_data,
salt, as_key, gak_data)))
return(ret);
}
enc_sam_response_enc.sam_passcode = response_data;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
if (sam_challenge->sam_nonce == 0) {
however, this doesnt work anymore since the latest changes
to the crypto library.
>Audit-Trail:
>Unformatted:
