#2 MIT Kerberos V 1.3 & krb_mk_in_tkt_preauth

open
Balazs GAL
Core Code (7)
7
2003-08-02
2003-07-22
Craig Huckabee
No

pam_krb5afs.c make use of the krb_mk_in_tkt_preauth
which is no longer an exported function in version 1.3 of
MIT Kerberos V. Sorry, no patch yet - haven't figured
out an appropriate workaround.

Discussion

  • Craig Huckabee
    Craig Huckabee
    2003-07-22

    • priority: 5 --> 7
     
  • Balazs GAL
    Balazs GAL
    2003-08-02

    • summary: MIT Kerberos V 1.3 & krb_mk_in_tkt_preauth --> MIT Kerberos V 1.3 & krb_mk_in_tkt_preauth
     
  • Balazs GAL
    Balazs GAL
    2003-08-02

    • labels: --> Core Code
    • assigned_to: nobody --> balsa
     
  • Alexei Kosut
    Alexei Kosut
    2004-02-14

    Logged In: YES
    user_id=55722

    Here's a patch (against pam_krb5-1.3-rc7) that fixes this issue and
    makes native_krb4_tgt work out of the box with krb5-1.3.1. It
    replaces about a hundred lines of code with a single API call that
    does the right thing. This patch also fixes a bug that prevents
    native_krb4_tgt from working when the v4 and v5 realms have
    different names.

    diff -bru orig/pam_krb5-1.3-rc7/pam_krb5afs.c pam_krb5-1.3-rc7/
    pam_krb5afs.c
    --- orig/pam_krb5-1.3-rc7/pam_krb5afs.c Mon Mar 10 15:37:00
    2003
    +++ pam_krb5-1.3-rc7/pam_krb5afs.c Fri Feb 13 17:32:21 2004
    @@ -2237,14 +2238,17 @@

            /\* Request a TGT for this realm. \*/
            strncpy\(sname, "krbtgt", sizeof\(sname\) - 1\);
    

    - strncpy(sinst, realm, sizeof(sinst) - 1);
    + strncpy(sinst, v4realm, sizeof(sinst) - 1);

            /\* Note: the lifetime is measured in multiples of 5m.
    

    */
    - k4rc = krb_mk_in_tkt_preauth(v4name, v4inst,
    v4realm,
    +
    + k4rc = krb_get_pw_in_tkt_creds(v4name, v4inst,
    v4realm,
    sname, sinst,
    config->ticket_lifetime
    / 60 / 5,
    - NULL, 0, ciphertext);
    + (char *)goodpass,
    + &stash->v4_creds);
    +
    if (k4rc != KSUCCESS) {
    INFO("couldn't get v4 TGT for %s%s%s@%s
    (%s), "
    "continuing", v4name,
    @@ -2252,101 +2256,6 @@
    krb_get_err_text(k4rc));
    }
    if (k4rc == KSUCCESS) {
    - unsigned char *p = ciphertext->dat;
    - int len;
    -
    - /* Convert the password to a v4 key. */
    - des_string_to_key((char*)goodpass, key);
    - des_key_sched(key, key_schedule);
    -
    - /* Decrypt the TGT. */
    - des_pcbc_encrypt((C_Block*)ciphertext->dat,
    - (C_Block*)ciphertext->dat,
    - ciphertext->length,
    - key_schedule,
    - (C_Block*)key,
    - 0);
    - memset(key, 0, sizeof(key));
    - memset(key_schedule, 0, sizeof(key_schedule));
    -
    - /* Decompose the returned data. Now I know
    - * why Kerberos 5 uses ASN.1 encoding.... */
    - memset(&stash->v4_creds, 0,
    - sizeof(stash->v4_creds));
    -
    - /* Initial values. */
    - strncpy((char*)&stash->v4_creds.pname,
    v4name,
    - sizeof(stash->v4_creds.pname) - 1);
    - strncpy((char*)&stash->v4_creds.pinst, v4inst,
    - sizeof(stash->v4_creds.pinst) - 1);
    -
    - /* Session key. */
    - len = ciphertext->length;
    - DEBUG("ciphertext length in TGT = %d", len);
    -
    - memcpy(&stash->v4_creds.session, p, 8);
    - p += 8;
    - len -= 8;
    -
    - /* Service name. */
    - if (xstrnlen(p, len) > 0) {
    - strncpy(stash->v4_creds.service, p,
    - sizeof(stash->v4_creds.service)
    - - 1);
    - } else {
    - INFO("service name in v4 TGT too long: "
    - "%.8s", p);
    - }
    - p += (strlen(stash->v4_creds.service) + 1);
    - len -= (strlen(stash->v4_creds.service) + 1);
    -
    - /* Service instance. */
    - if (xstrnlen(p, len) > 0) {
    - strncpy(stash->v4_creds.instance, p,
    - sizeof(stash->v4_creds.instance)
    - - 1);
    - }
    - p += (strlen(stash->v4_creds.instance) + 1);
    - len -= (strlen(stash->v4_creds.instance) + 1);
    -
    - /* Service realm. */
    - if (xstrnlen(p, len) > 0) {
    - strncpy(stash->v4_creds.realm, p,
    - sizeof(stash->v4_creds.realm)
    - - 1);
    - }
    - p += (strlen(stash->v4_creds.realm) + 1);
    - len -= (strlen(stash->v4_creds.realm) + 1);
    -
    - /* Lifetime, kvno, length. */
    - if (len >= 3) {
    - stash->v4_creds.lifetime = p[0];
    - stash->v4_creds.kvno = p[1];
    - stash->v4_creds.ticket_st.length = p[2];
    - }
    - p += 3;
    - len -= 3;
    -
    - /* Ticket data. */
    - if (len >= stash->v4_creds.ticket_st.length) {
    - memcpy(stash->v4_creds.ticket_st.dat, p,
    - stash->v4_creds.ticket_st.length);
    - }
    - p += stash->v4_creds.ticket_st.length;
    - len -= stash->v4_creds.ticket_st.length;
    -
    - /* Timestamp. */
    - if (len >= 4) {
    - memcpy(&stash->v4_creds.issue_date,
    - p, 4);
    - /* We can't tell if we need to byte-swap
    - * or not, so just make up an issue date
    - * that looks reasonable. */
    - stash->v4_creds.issue_date = time(NULL);
    - }
    - p += 4;
    - len -= 4;
    -

                DEBUG\("Got v4 TGT for \`%s%s%s@%s'",
                      stash->v4\_creds.service,
    

    @@ -2355,18 +2264,6 @@
    stash->v4_creds.instance,
    stash->v4_creds.realm);
    stash->have_v4_creds = TRUE;
    -
    - /* Sanity checks. */
    - if (len != 0) {
    - INFO("Got %d extra bytes in v4 TGT",
    - ciphertext->length - len);
    - DEBUG("Extra data =
    %c%c%c%c%c%c%c%c",
    - p[0], p[1], p[2], p[3],
    - p[4], p[5], p[6], p[7]);
    - DEBUG("Extra data =
    %c%c%c%c%c%c%c%c",
    - p[9], p[10], p[11], p[12],
    - p[13], p[14], p[15], p[16]);
    - }
    }
    }
    #endif

     
  • Craig Huckabee
    Craig Huckabee
    2004-06-07

    Logged In: YES
    user_id=72607

    I think this can be closed - the patch below has been
    working for me with Krb5 1.3.2 and above.