Fix KDC return code and set prompt types for OTP client preauth

Resolves: #1370072
This commit is contained in:
Robbie Harwood 2016-08-25 14:04:19 +00:00
parent 136cc25087
commit 1dd613afe8
4 changed files with 213 additions and 2 deletions

View File

@ -0,0 +1,82 @@
From c8938509344921906aa74d31eb6befe58055fc1d Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Jul 2016 13:28:43 -0400
Subject: [PATCH 2/3] Improve bad password inference in kinit
kinit currently outputs "Password incorrect" if it sees a
bad-integrity error code, which results if the KDC reply couldn't be
decrypted, or when encrypted timestamp preauth fails against an MIT
krb5 1.14 or earlier KDC. Expand this check to include general
preauth failures reported by the KDC, but only if a password was
prompted for.
ticket: 8465 (new)
(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595)
---
src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------
1 file changed, 20 insertions(+), 6 deletions(-)
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index eba36b9..990fd11 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -700,9 +700,18 @@ kinit_prompter(
krb5_prompt prompts[]
)
{
- krb5_error_code rc =
- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
- return rc;
+ krb5_boolean *pwprompt = data;
+ krb5_prompt_type *ptypes;
+ int i;
+
+ /* Make a note if we receive a password prompt. */
+ ptypes = krb5_get_prompt_types(ctx);
+ for (i = 0; i < num_prompts; i++) {
+ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD)
+ *pwprompt = TRUE;
+ }
+
+ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
}
static int
@@ -715,6 +724,7 @@ k5_kinit(opts, k5)
krb5_creds my_creds;
krb5_error_code code = 0;
krb5_get_init_creds_opt *options = NULL;
+ krb5_boolean pwprompt = FALSE;
int i;
memset(&my_creds, 0, sizeof(my_creds));
@@ -819,7 +829,7 @@ k5_kinit(opts, k5)
switch (opts->action) {
case INIT_PW:
code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
- 0, kinit_prompter, 0,
+ 0, kinit_prompter, &pwprompt,
opts->starttime,
opts->service_name,
options);
@@ -856,11 +866,15 @@ k5_kinit(opts, k5)
break;
}
- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+ /* If reply decryption failed, or if pre-authentication failed and we
+ * were prompted for a password, assume the password was wrong. */
+ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY ||
+ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) {
fprintf(stderr, _("%s: Password incorrect while %s\n"), progname,
doing);
- else
+ } else {
com_err(progname, code, _("while %s"), doing);
+ }
goto cleanup;
}
--
2.9.3

View File

@ -0,0 +1,68 @@
From 7b072ef4135e776982a61fae62cda9a5f0fe001b Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Mon, 8 Aug 2016 18:03:55 +0200
Subject: [PATCH 3/3] Change KDC error for encrypted timestamp preauth
When encrypted timestamp pre-authentication fails, respond with error
code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for
consistency with other Kerberos implementations.
[ghudson@mit.edu: clarified commit message and comment]
ticket: 8471 (new)
(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af)
---
src/kdc/kdc_preauth_encts.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c
index 65f7c36..e80dc12 100644
--- a/src/kdc/kdc_preauth_encts.c
+++ b/src/kdc/kdc_preauth_encts.c
@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_key_data * client_key;
krb5_int32 start;
krb5_timestamp timenow;
- krb5_error_code decrypt_err = 0;
scratch.data = (char *)pa->contents;
scratch.length = pa->length;
@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
goto cleanup;
start = 0;
- decrypt_err = 0;
while (1) {
if ((retval = krb5_dbe_search_enctype(context, rock->client,
&start, enc_data->enctype,
@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request,
krb5_free_keyblock_contents(context, &key);
if (retval == 0)
break;
- else
- decrypt_err = retval;
}
if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0)
@@ -119,14 +115,10 @@ cleanup:
krb5_free_data_contents(context, &enc_ts_data);
if (pa_enc)
free(pa_enc);
- /*
- * If we get NO_MATCHING_KEY and decryption previously failed, and
- * we failed to find any other keys of the correct enctype after
- * that failed decryption, it probably means that the password was
- * incorrect.
- */
- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0)
- retval = decrypt_err;
+ /* If we get NO_MATCHING_KEY, it probably means that the password was
+ * incorrect. */
+ if (retval == KRB5_KDB_NO_MATCHING_KEY)
+ retval = KRB5KDC_ERR_PREAUTH_FAILED;
(*respond)(arg, retval, NULL, NULL, NULL);
}
--
2.9.3

View File

@ -0,0 +1,49 @@
From 4885a9b10ddf457f290ff5e9ce4a9a99765cfd1d Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Mon, 25 Jul 2016 13:23:31 -0400
Subject: [PATCH 1/3] Set prompt type for OTP preauth prompt
Add k5_set_prompt_type() calls around the prompter invocation in
preauth_otp.c, and add the comment we conventionally put before
prompter invocations.
ticket: 8464 (new)
(cherry picked from commit 7d497a56279dcb59b6be9f8994257e76788d2e89)
---
src/lib/krb5/krb/preauth_otp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c
index 3de528b..01c48b4 100644
--- a/src/lib/krb5/krb/preauth_otp.c
+++ b/src/lib/krb5/krb/preauth_otp.c
@@ -31,6 +31,7 @@
#include "k5-int.h"
#include "k5-json.h"
#include "int-proto.h"
+#include "os-proto.h"
#include <krb5/clpreauth_plugin.h>
#include <ctype.h>
@@ -475,6 +476,7 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
krb5_prompt prompt;
krb5_data prompt_reply;
krb5_error_code retval;
+ krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH;
if (prompttxt == NULL || out == NULL)
return EINVAL;
@@ -486,7 +488,10 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data,
prompt.prompt = (char *)prompttxt;
prompt.hidden = 1;
+ /* PROMPTER_INVOCATION */
+ k5_set_prompt_types(context, &prompt_type);
retval = (*prompter)(context, prompter_data, NULL, banner, 1, &prompt);
+ k5_set_prompt_types(context, NULL);
if (retval != 0)
return retval;
--
2.9.3

View File

@ -13,7 +13,7 @@
Summary: The Kerberos network authentication system
Name: krb5
Version: 1.14.3
Release: 5%{?dist}
Release: 6%{?dist}
# - Maybe we should explode from the now-available-to-everybody tarball instead?
# http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar
# - The sources below are stored in a lookaside cache. Upload with
@ -65,6 +65,10 @@ Patch165: krb5-1.15-kdc_hooks_test.patch
Patch166: krb5-1.14.4-SNI-HTTP-Host.patch
Patch167: krb5-1.15-otp-preauth-prompt-type.patch
Patch168: krb5-1.15-improve-bad-password-inference.patch
Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch
License: MIT
URL: http://web.mit.edu/kerberos/www/
Group: System Environment/Libraries
@ -272,7 +276,11 @@ ln NOTICE LICENSE
%patch164 -p1 -b .kdc_send_receive_hooks
%patch165 -p1 -b .kdc_hooks_test
%patch166 -p1 -b .krb5-1.14.4-SNI-HTTP-Host.patch
%patch166 -p1 -b .SNI-HTTP-Host
%patch167 -p1 -b .otp-preauth-prompt-type
%patch168 -p1 -b .improve-bad-password-inference
%patch169 -p1 -b .kdc-error-encrypted-timestamp
# Take the execute bit off of documentation.
chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html
@ -742,6 +750,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.*
%changelog
* Thu Aug 25 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-6
- Fix KDC return code and set prompt types for OTP client preauth
- Resolves: #1370072
* Mon Aug 15 2016 Robbie Harwood <rharwood@redhat.com> - 1.14.3-5
- Turn OFD locks back on with glibc workaround
- Resolves: #1274922