[3277] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

krb5-libs/1022: multiple IP addresses vs. GSSAPI

daemon@ATHENA.MIT.EDU (donn@u.washington.edu)
Mon Dec 3 16:27:21 2001

Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, donn@u.washington.edu
Message-Id: <200112032124.fB3LOL448698@melville.u.washington.edu>
Date: Mon, 3 Dec 2001 13:24:21 -0800
From: donn@u.washington.edu
Reply-To: donn@u.washington.edu
To: krb5-bugs@mit.edu


>Number:         1022
>Category:       krb5-libs
>Synopsis:       accept_sec_context() specifies principal to rd_req()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Mon Dec  3 16:25:01 EST 2001
>Last-Modified:
>Originator:     Donn Cave
>Organization:
	University Computing Services
	University of Washington
>Release:        krb5-1.2.2
>Environment:
	Any
System: AIX melville 3 4 00600210C000


>Description:
	ftpd and other Kerberos services implemented with GSSAPI are
	unable to authenticate on alternate IP+DNS addresses supported
	by separate network interfaces.  For example back door networks.
	The MIT telnetd avoids this problem by passing a null pointer
	to krb5_rd_req's 4th parameter.  GSSAPI krb5_gss_accept_sec_context()
	should do likewise.
>How-To-Repeat:
	Set up a host with 2 interfaces, DNS host_a and IP ip_a on one
	and host_b and ip_b on the other, and populate the keytab with
	ftp & host keys for both host_a & host_b.  Connect with ftp.
	Result will be "wrong principal", from krb5_rd_req()
>Fix:
*** lib/gssapi/krb5/accept_sec_context.c.dist	Tue Nov  6 15:25:51 2001
--- lib/gssapi/krb5/accept_sec_context.c	Mon Dec  3 13:08:40 2001
***************
*** 345,351 ****
         goto fail;
     }
  
!    if ((code = krb5_rd_req(context, &auth_context, &ap_req, cred->princ,
  			   cred->keytab, NULL, &ticket))) {
         major_status = GSS_S_FAILURE;
         goto fail;
--- 345,351 ----
         goto fail;
     }
  
!    if ((code = krb5_rd_req(context, &auth_context, &ap_req, NULL,
  			   cred->keytab, NULL, &ticket))) {
         major_status = GSS_S_FAILURE;
         goto fail;
>Audit-Trail:
>Unformatted:
home help back first fref pref prev next nref lref last post