From 1dd613afe881189de58c3a3306f5fa74206e572f Mon Sep 17 00:00:00 2001 From: Robbie Harwood Date: Thu, 25 Aug 2016 14:04:19 +0000 Subject: [PATCH] Fix KDC return code and set prompt types for OTP client preauth Resolves: #1370072 --- ...-1.15-improve-bad-password-inference.patch | 82 +++++++++++++++++++ krb5-1.15-kdc-error-encrypted-timestamp.patch | 68 +++++++++++++++ krb5-1.15-otp-preauth-prompt-type.patch | 49 +++++++++++ krb5.spec | 16 +++- 4 files changed, 213 insertions(+), 2 deletions(-) create mode 100644 krb5-1.15-improve-bad-password-inference.patch create mode 100644 krb5-1.15-kdc-error-encrypted-timestamp.patch create mode 100644 krb5-1.15-otp-preauth-prompt-type.patch diff --git a/krb5-1.15-improve-bad-password-inference.patch b/krb5-1.15-improve-bad-password-inference.patch new file mode 100644 index 0000000..8e1424a --- /dev/null +++ b/krb5-1.15-improve-bad-password-inference.patch @@ -0,0 +1,82 @@ +From c8938509344921906aa74d31eb6befe58055fc1d Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 25 Jul 2016 13:28:43 -0400 +Subject: [PATCH 2/3] Improve bad password inference in kinit + +kinit currently outputs "Password incorrect" if it sees a +bad-integrity error code, which results if the KDC reply couldn't be +decrypted, or when encrypted timestamp preauth fails against an MIT +krb5 1.14 or earlier KDC. Expand this check to include general +preauth failures reported by the KDC, but only if a password was +prompted for. + +ticket: 8465 (new) +(cherry picked from commit 1a83ffad4d8e405ce696536c06d9bce1f8100595) +--- + src/clients/kinit/kinit.c | 26 ++++++++++++++++++++------ + 1 file changed, 20 insertions(+), 6 deletions(-) + +diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c +index eba36b9..990fd11 100644 +--- a/src/clients/kinit/kinit.c ++++ b/src/clients/kinit/kinit.c +@@ -700,9 +700,18 @@ kinit_prompter( + krb5_prompt prompts[] + ) + { +- krb5_error_code rc = +- krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); +- return rc; ++ krb5_boolean *pwprompt = data; ++ krb5_prompt_type *ptypes; ++ int i; ++ ++ /* Make a note if we receive a password prompt. */ ++ ptypes = krb5_get_prompt_types(ctx); ++ for (i = 0; i < num_prompts; i++) { ++ if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD) ++ *pwprompt = TRUE; ++ } ++ ++ return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); + } + + static int +@@ -715,6 +724,7 @@ k5_kinit(opts, k5) + krb5_creds my_creds; + krb5_error_code code = 0; + krb5_get_init_creds_opt *options = NULL; ++ krb5_boolean pwprompt = FALSE; + int i; + + memset(&my_creds, 0, sizeof(my_creds)); +@@ -819,7 +829,7 @@ k5_kinit(opts, k5) + switch (opts->action) { + case INIT_PW: + code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, +- 0, kinit_prompter, 0, ++ 0, kinit_prompter, &pwprompt, + opts->starttime, + opts->service_name, + options); +@@ -856,11 +866,15 @@ k5_kinit(opts, k5) + break; + } + +- if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) ++ /* If reply decryption failed, or if pre-authentication failed and we ++ * were prompted for a password, assume the password was wrong. */ ++ if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY || ++ (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) { + fprintf(stderr, _("%s: Password incorrect while %s\n"), progname, + doing); +- else ++ } else { + com_err(progname, code, _("while %s"), doing); ++ } + goto cleanup; + } + +-- +2.9.3 + diff --git a/krb5-1.15-kdc-error-encrypted-timestamp.patch b/krb5-1.15-kdc-error-encrypted-timestamp.patch new file mode 100644 index 0000000..cbf9309 --- /dev/null +++ b/krb5-1.15-kdc-error-encrypted-timestamp.patch @@ -0,0 +1,68 @@ +From 7b072ef4135e776982a61fae62cda9a5f0fe001b Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 8 Aug 2016 18:03:55 +0200 +Subject: [PATCH 3/3] Change KDC error for encrypted timestamp preauth + +When encrypted timestamp pre-authentication fails, respond with error +code KDC_ERR_PREAUTH_FAILED, rather than KRB_AP_ERR_BAD_INTEGRITY, for +consistency with other Kerberos implementations. + +[ghudson@mit.edu: clarified commit message and comment] + +ticket: 8471 (new) +(cherry picked from commit 2653d69e0705a925597dff10083a24a77e2a20af) +--- + src/kdc/kdc_preauth_encts.c | 16 ++++------------ + 1 file changed, 4 insertions(+), 12 deletions(-) + +diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c +index 65f7c36..e80dc12 100644 +--- a/src/kdc/kdc_preauth_encts.c ++++ b/src/kdc/kdc_preauth_encts.c +@@ -59,7 +59,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_key_data * client_key; + krb5_int32 start; + krb5_timestamp timenow; +- krb5_error_code decrypt_err = 0; + + scratch.data = (char *)pa->contents; + scratch.length = pa->length; +@@ -74,7 +73,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + goto cleanup; + + start = 0; +- decrypt_err = 0; + while (1) { + if ((retval = krb5_dbe_search_enctype(context, rock->client, + &start, enc_data->enctype, +@@ -92,8 +90,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_free_keyblock_contents(context, &key); + if (retval == 0) + break; +- else +- decrypt_err = retval; + } + + if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) +@@ -119,14 +115,10 @@ cleanup: + krb5_free_data_contents(context, &enc_ts_data); + if (pa_enc) + free(pa_enc); +- /* +- * If we get NO_MATCHING_KEY and decryption previously failed, and +- * we failed to find any other keys of the correct enctype after +- * that failed decryption, it probably means that the password was +- * incorrect. +- */ +- if (retval == KRB5_KDB_NO_MATCHING_KEY && decrypt_err != 0) +- retval = decrypt_err; ++ /* If we get NO_MATCHING_KEY, it probably means that the password was ++ * incorrect. */ ++ if (retval == KRB5_KDB_NO_MATCHING_KEY) ++ retval = KRB5KDC_ERR_PREAUTH_FAILED; + + (*respond)(arg, retval, NULL, NULL, NULL); + } +-- +2.9.3 + diff --git a/krb5-1.15-otp-preauth-prompt-type.patch b/krb5-1.15-otp-preauth-prompt-type.patch new file mode 100644 index 0000000..2c3d975 --- /dev/null +++ b/krb5-1.15-otp-preauth-prompt-type.patch @@ -0,0 +1,49 @@ +From 4885a9b10ddf457f290ff5e9ce4a9a99765cfd1d Mon Sep 17 00:00:00 2001 +From: Greg Hudson +Date: Mon, 25 Jul 2016 13:23:31 -0400 +Subject: [PATCH 1/3] Set prompt type for OTP preauth prompt + +Add k5_set_prompt_type() calls around the prompter invocation in +preauth_otp.c, and add the comment we conventionally put before +prompter invocations. + +ticket: 8464 (new) +(cherry picked from commit 7d497a56279dcb59b6be9f8994257e76788d2e89) +--- + src/lib/krb5/krb/preauth_otp.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c +index 3de528b..01c48b4 100644 +--- a/src/lib/krb5/krb/preauth_otp.c ++++ b/src/lib/krb5/krb/preauth_otp.c +@@ -31,6 +31,7 @@ + #include "k5-int.h" + #include "k5-json.h" + #include "int-proto.h" ++#include "os-proto.h" + + #include + #include +@@ -475,6 +476,7 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, + krb5_prompt prompt; + krb5_data prompt_reply; + krb5_error_code retval; ++ krb5_prompt_type prompt_type = KRB5_PROMPT_TYPE_PREAUTH; + + if (prompttxt == NULL || out == NULL) + return EINVAL; +@@ -486,7 +488,10 @@ doprompt(krb5_context context, krb5_prompter_fct prompter, void *prompter_data, + prompt.prompt = (char *)prompttxt; + prompt.hidden = 1; + ++ /* PROMPTER_INVOCATION */ ++ k5_set_prompt_types(context, &prompt_type); + retval = (*prompter)(context, prompter_data, NULL, banner, 1, &prompt); ++ k5_set_prompt_types(context, NULL); + if (retval != 0) + return retval; + +-- +2.9.3 + diff --git a/krb5.spec b/krb5.spec index 6abb731..f9ec0ba 100644 --- a/krb5.spec +++ b/krb5.spec @@ -13,7 +13,7 @@ Summary: The Kerberos network authentication system Name: krb5 Version: 1.14.3 -Release: 5%{?dist} +Release: 6%{?dist} # - Maybe we should explode from the now-available-to-everybody tarball instead? # http://web.mit.edu/kerberos/dist/krb5/1.13/krb5-1.13.2-signed.tar # - The sources below are stored in a lookaside cache. Upload with @@ -65,6 +65,10 @@ Patch165: krb5-1.15-kdc_hooks_test.patch Patch166: krb5-1.14.4-SNI-HTTP-Host.patch +Patch167: krb5-1.15-otp-preauth-prompt-type.patch +Patch168: krb5-1.15-improve-bad-password-inference.patch +Patch169: krb5-1.15-kdc-error-encrypted-timestamp.patch + License: MIT URL: http://web.mit.edu/kerberos/www/ Group: System Environment/Libraries @@ -272,7 +276,11 @@ ln NOTICE LICENSE %patch164 -p1 -b .kdc_send_receive_hooks %patch165 -p1 -b .kdc_hooks_test -%patch166 -p1 -b .krb5-1.14.4-SNI-HTTP-Host.patch +%patch166 -p1 -b .SNI-HTTP-Host + +%patch167 -p1 -b .otp-preauth-prompt-type +%patch168 -p1 -b .improve-bad-password-inference +%patch169 -p1 -b .kdc-error-encrypted-timestamp # Take the execute bit off of documentation. chmod -x doc/krb5-protocol/*.txt doc/ccapi/*.html @@ -742,6 +750,10 @@ exit 0 %{_libdir}/libkadm5srv_mit.so.* %changelog +* Thu Aug 25 2016 Robbie Harwood - 1.14.3-6 +- Fix KDC return code and set prompt types for OTP client preauth +- Resolves: #1370072 + * Mon Aug 15 2016 Robbie Harwood - 1.14.3-5 - Turn OFD locks back on with glibc workaround - Resolves: #1274922