[33379] in Kerberos
Re: bug report: S4U2Self Solaris-10 -> Windows-2003 fails with
daemon@ATHENA.MIT.EDU (Luke Howard)
Thu May 12 20:31:39 2011
Mime-Version: 1.0 (Apple Message framework v1084)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <alpine.DEB.1.10.1105121947470.22892@seraph.oankali.net>
Date: Fri, 13 May 2011 02:31:32 +0200
Message-Id: <7B598476-A780-4DF5-A506-2886C7D4CE0F@padl.com>
To: Richard Silverman <res@qoxp.net>
Cc: MIT Kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
I guess we could special case this for DES enctypes but as that checksum is unkeyed, it's not really desirable to use in the general case. Otherwise an attacker can change the impersonated principal name.
-- Luke
On 13/05/2011, at 2:07 AM, Richard Silverman wrote:
> Hello,
>
> configuration
> -------------
> client: MIT Kerberos 1.9.1 on Solaris-10
> KDC: Windows 2003 domain controller
>
>
> Using the supplied t_s4u.c test program, S4U2Self fails with
> KRB5KRB_AP_ERR_MODIFIED (41). The TGS_REQ uses a checksum of type
> CKSUMTYPE_RSA_MD5_DES(8) in the PA-S4U2SELF(129) field. However, if I
> apply this patch to force CKSUMTYPE_CRC32(1) instead:
>
> --------------------------------------------------------------------------------
> --- src/lib/krb5/krb/s4u_creds.c.orig 2010-04-22 23:29:40.000000000 +0000
> +++ src/lib/krb5/krb/s4u_creds.c 2011-05-12 23:55:48.504446000 +0000
> @@ -181,7 +181,7 @@
> return code;
> }
>
> - code = krb5_c_make_checksum(context, cksumtype, key,
> + code = krb5_c_make_checksum(context, CKSUMTYPE_CRC32, key,
> KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
> cksum);
> --------------------------------------------------------------------------------
>
> ... then the S4U2Self request succeeds. I thought to do this because I
> already had it working with Heimdal, and it uses the CRC checksum.
>
> I have attached network traces of the failing and working transactions.
> The principal impersonator/dportal@DESHAW.COM is authorized on the Windows
> KDC for constrained delegation with protocol transition; this transaction
> asks for a S4U2Self ticket issued to res@DESHAW.COM for
> impersonator/dportal@DESHAW.COM.
>
> Thanks,
>
> - Richard Silverman
> res@qoxp.net________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
