[734] in Kerberos-V5-bugs
kdc bug/cross-realm auth
daemon@ATHENA.MIT.EDU (Dave McGuire)
Sun Sep 11 00:56:57 1994
Date: Sun, 11 Sep 1994 00:56:49 -0400
From: Dave McGuire <mcguire@rocinante.digex.net>
To: krb5-bugs@MIT.EDU
Hey guys...Kudos on k5b4.2...Very very nice!
Attached is a copy of an article I posted to comp.protocols.kerberos
earlier describing an apparent bug in the kdc in which a `||' instead
of a `&&' causes cross-realm auth to fail if realm names are of the
same length.
Also, while most of my k5 stuff has been under SunOS, I've been
trying to get it running under Linux 1.09 as well. Everything I've
tried works fine, except for outgoing telnet, which drops core.
Incoming works fine. I have yet to make any progress locating the
culprit, but I wanted to make sure you folks knew about it.
Oh and kadmind blows big chunks all over the place...I'm going to
try to make some time to look into that; if I make any headway I'll
let you know.
Best regards,
-Dave McGuire
Operations
Digital Express Group, Incorporated
mcguire@digex.net
---begin included text---
comp.protocols.kerberos #2381 (13 more)
(1)
From: mcguire@rocinante.digex.net (Dave McGuire)
[1] bug found in kdc (w/fix)
Date: Sat Sep 10 19:46:27 EDT 1994
Organization: Express Access Online Communications, Greenbelt, MD USA
Lines: 46
Hey...Just found a bug in krb5kdc relating to cross-realm
authentication. It results in a "PROCESS_TGS: failed lineage check"
error when the realm names are different but are of the same length.
In the following little snippet of code, the "||" should be "&&", as
far as I can tell. Hopefully someone more familiar with the internals
will sanity check this for me; but it seems to be the Right Thing(tm).
> if (foreign_server) {
> krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
> krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
==> > if (tkt_realm->length == tgs_realm->length ||
> !memcmp(tkt_realm->data, tgs_realm->data, tgs_realm->length)) {
> /* someone in a foreign realm claiming to be local */
> syslog(LOG_INFO, "PROCESS_TGS: failed lineage check");
> retval = KRB5KDC_ERR_POLICY;
> goto cleanup;
> }
> }
The following patch fixes this:
---cut here---
*** kdc_util.c Sat Sep 10 19:41:20 1994
--- kdc_util.c~ Sat Jul 16 02:00:59 1994
***************
*** 294,298 ****
krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
! if (tkt_realm->length == tgs_realm->length ||
!memcmp(tkt_realm->data, tgs_realm->data,
tgs_realm->length)) {
/* someone in a foreign realm claiming to be local */
--- 294,298 ----
krb5_data *tkt_realm = krb5_princ_realm(ticket_enc->client);
krb5_data *tgs_realm = krb5_princ_realm(tgs_server);
! if (tkt_realm->length == tgs_realm->length &&
!memcmp(tkt_realm->data, tgs_realm->data,
tgs_realm->length)) {
/* someone in a foreign realm claiming to be local */
---cut here---
-Dave McGuire
Operations
Digital Express Group, Incorporated
mcguire@digex.net
---end included text---
