[15948] in Kerberos_V5_Development
krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used causing
daemon@ATHENA.MIT.EDU (Douglas E. Engert)
Wed Jun 30 15:17:34 2010
Message-ID: <4C2B984B.60807@anl.gov>
Date: Wed, 30 Jun 2010 14:17:31 -0500
From: "Douglas E. Engert" <deengert@anl.gov>
MIME-Version: 1.0
To: "'krbdev@mit.edu'" <krbdev@mit.edu>
Content-Type: multipart/mixed; boundary="------------070602080302050407000807"
Errors-To: krbdev-bounces@mit.edu
This is a multi-part message in MIME format.
--------------070602080302050407000807
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
With Ubuntu Lucid, and AD 2008 as KDC, a service ticket can
be issued using AES 256, but the PAC server Checksum can be
using RC4.
sshd would then get a "Bad encryption type" message and fail.
This appears to be the situation as outlined in Example 2 in this blog:
http://blogs.msdn.com/b/openspecification/archive/2010/01/01/verifying-the-server-signature-in-kerberos-privilege-account-certificate.aspx
Using a version of MIT 1.8 of gss-client and gss-server, I can reproduce this
problem on a Solaris 10 system, and indeed the service key enctype is 18 for
AES 256, and the checksum type is CHECKSUM_TYPE_HMAC_MD5_ARCFOUR
See attached gdb output.
Any ideas on how to fix this for the long term, where AES is used and
a system may want to use the PAC?
For a system like Windows that stores the password and generates keys on
the fly this in not a big deal. For systems where keys are stored
separately this is a big deal, as it means you need to have two keys
to verify the PAC.
In my situation the PAC is not needed, so a circumvention is to
use the NO_AUTH_DATA_REQUIRED bit: http://support.microsoft.com/kb/832572
or not use AES, or as the blog suggests, if the msDS-SupportedEncryptionTypes
does not include RC4, it might use AES. (I have not tried this, yet
as RC4 is still the common enctype available on all our systems.)
The Solaris 10 provided Kerberos can use AES and does not have this problem,
as I don't think it is checking the PAC...
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--------------070602080302050407000807
Content-Type: text/plain;
name="cs.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="cs.txt"
#0 krb5_k_verify_checksum (context=0x27e00, key=0x275b8, usage=17,
data=0xffbff220, cksum=0xffbff210, valid=0xffbff1fc)
at ../../../../src/lib/crypto/krb/cksumtypes.h:134
#1 0xff25ca68 in krb5_c_verify_checksum (context=0x27e00, keyblock=0x275b8,
usage=17, data=0xffbff220, cksum=0xffbff210, valid=0xffbff1fc)
at ../../../../src/lib/crypto/krb/verify_checksum.c:87
#2 0xff2d8b58 in k5_pac_verify_server_checksum (context=0x27e00, pac=0x23f98,
server=0xffbff450) at ../../../../src/lib/krb5/krb/pac.c:608
#3 0xff2d8cc8 in krb5_pac_verify (context=0x27e00, pac=0x23f98,
authtime=1277912392, principal=0x27658, server=0xffbff450, privsvr=0x0)
at ../../../../src/lib/krb5/krb/pac.c:684
#4 0xff2d9714 in mspac_verify (kcontext=0x27e00, context=0x28a38,
plugin_context=0x0, request_context=0x29080, auth_context=0xffbff650,
key=0xffbff450, req=0x258) at ../../../../src/lib/krb5/krb/pac.c:1088
#5 0xff2c47e0 in krb5int_authdata_verify (kcontext=0x27e00, context=0x28a38,
usage=15, auth_context=0xffbff650, key=0xffbff450, ap_req=0x26d58)
at ../../../../src/lib/krb5/krb/authdata.c:672
a
where:
(gdb) p *ktp
$37 = {etype = 18, name = 0xff265440 <error reading variable>, aliases = {
0xff265458 <error reading variable>, 0x0},
out_string = 0xff265468 <error reading variable>, enc = 0xff276128,
hash = 0xff276030, prf_length = 16,
crypto_length = 0xff24465c <krb5int_aes_crypto_length>,
encrypt = 0xff2446dc <krb5int_dk_encrypt>,
decrypt = 0xff2449f4 <krb5int_dk_decrypt>,
str2key = 0xff245348 <krb5int_aes_string_to_key>,
prf = 0xff24715c <krb5int_dk_prf>, required_ctype = 16, flags = 0}
(gdb) p *ctp
$39 = {ctype = -138, name = 0xff265088 <error reading variable>, aliases = {
0xff265098 <error reading variable>, 0xff2650a8 <error reading variable>},
out_string = 0xff2650c0 <error reading variable>, enc = 0xff2760d8,
hash = 0xff27601c, checksum = 0xff246d80 <krb5int_hmacmd5_checksum>,
verify = 0, compute_size = 16, output_size = 16, flags = 0}
--------------070602080302050407000807
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
--------------070602080302050407000807--