rpms/krb5
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Include preauth names in trace output where possible

Browse Source 
Also fix misc bugs
This commit is contained in:
Robbie Harwood 2018-03-20 11:20:09 -04:00
parent a387becbf5
commit 2eafc4d8aa
5 changed files with 647 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
Allow-validation-of-PACs-with-enterprise-names.patch Normal file
View File

@ -0,0 +1,49 @@
From 8a2ceda87107973ec10fec532c095cf347ec050c Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 14 Mar 2018 01:19:17 +0200
Subject: [PATCH] Allow validation of PACs with enterprise names
In k5_pac_validate_client(), if we are verifying against an enterprise
principal, parse the PAC_CLIENT_INFO field as an enterprise principal.
This scenario may arise in the response to an S4U2Self request for an
enterprise principal, as the KDC does not appear to canonicalize the
client principal requested in PA-FOR-USER.
[ghudson@mit.edu: rewrote commit message; adjusted style]
ticket: 8649 (new)
tags: pullup
target_version: 1.16-next
(cherry picked from commit f876aab80a69f9b934cd7f4e2339e3815aa8c4bf)
---
src/lib/krb5/krb/pac.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 0eb19e6bb..c9b5de30a 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -413,6 +413,7 @@ k5_pac_validate_client(krb5_context context,
krb5_ui_2 pac_princname_length;
int64_t pac_nt_authtime;
krb5_principal pac_principal;
+ int flags;
ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
&client_info);
@@ -440,8 +441,12 @@ k5_pac_validate_client(krb5_context context,
if (ret != 0)
return ret;
- ret = krb5_parse_name_flags(context, pac_princname,
- KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal);
+ /* Parse the UTF-8 name as an enterprise principal if we are matching
+ * against one; otherwise parse it as a regular principal with no realm. */
+ flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
+ if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
+ flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
+ ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal);
if (ret != 0) {
free(pac_princname);
return ret;

48
Fix-read-overflow-in-KDC-sort_pa_data.patch Normal file
View File

@ -0,0 +1,48 @@
From 87cc924b8c127afb617cd110b1fbee57f809cd49 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Thu, 15 Mar 2018 20:27:30 -0400
Subject: [PATCH] Fix read overflow in KDC sort_pa_data()
sort_pa_data() could read past the end of pa_order if all preauth
systems in the table have the PA_REPLACES_KEY flag, causing a
dereference of preauth_systems[-1]. This situation became possible
after commit fea1a488924faa3938ef723feaa1ff12d22a91ff with the
elimination of static_preauth_systems; before that there were always
table entries which did not have PA_REPLACES_KEY set.
Fix this bug by removing the loop to count n_key_replacers, and
instead get the count from the prior loop by stopping once we move all
of the key-replacing modules to the front.
(cherry picked from commit b38e318cea18fd65647189eed64aef83bf1cb772)
---
src/kdc/kdc_preauth.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 80b130222..62ff9a8a7 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -663,17 +663,18 @@ sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order)
break;
}
}
+ /* If we didn't find one, we have moved all of the key-replacing
+ * modules, and i is the count of those modules. */
+ if (j == n_repliers)
+ break;
}
+ n_key_replacers = i;
if (request->padata != NULL) {
/* Now reorder the subset of modules which replace the key,
* bubbling those which handle pa_data types provided by the
* client ahead of the others.
*/
- for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) {
- continue;
- }
- n_key_replacers = i;
for (i = 0; i < n_key_replacers; i++) {
if (pa_list_includes(request->padata,
preauth_systems[pa_order[i]].type))

514
Include-preauth-name-in-trace-output-if-possible.patch Normal file
View File

@ -0,0 +1,514 @@
From 44fe6e4df092e3bc7673449ccd7c70b6f0a4ccbf Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Thu, 15 Mar 2018 14:37:28 -0400
Subject: [PATCH] Include preauth name in trace output if possible
Add a {patype} trace format specifier for a single pa-type value. Add
a krb5_preauthtype to string conversion function to trace machinery
and use it when formatting {patype} or {patypes}.
[ghudson@mit.edu: wrote conversion function; edited commit message]
ticket: 8653 (new)
(cherry picked from commit 9c68fe39b018666eabe033b639c1f35d03ba51c7)
---
src/include/k5-trace.h | 17 ++--
src/lib/krb5/os/t_trace.ref | 2 +-
src/lib/krb5/os/trace.c | 61 ++++++++++++-
src/tests/t_pkinit.py | 43 ++++-----
src/tests/t_preauth.py | 216 ++++++++++++++++++++++----------------------
5 files changed, 200 insertions(+), 139 deletions(-)
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 390a8b7d6..5f7eb9517 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -75,6 +75,7 @@
* {cksum} const krb5_checksum *, display cksumtype and hex checksum
* {princ} krb5_principal, unparse and display
* {ptype} krb5_int32, krb5_principal type, display name
+ * {patype} krb5_preauthtype, a single padata type number
* {patypes} krb5_pa_data **, display list of padata type numbers
* {etype} krb5_enctype, display shortest name of enctype
* {etypes} krb5_enctype *, display list of enctypes
@@ -232,14 +233,14 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
#define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code) \
TRACE(c, "Decrypt with preauth AS key failed: {kerr}", code)
#define TRACE_INIT_CREDS_PREAUTH_MORE(c, patype) \
- TRACE(c, "Continuing preauth mech {int}", (int)patype)
+ TRACE(c, "Continuing preauth mech {patype}", patype)
#define TRACE_INIT_CREDS_PREAUTH_NONE(c) \
TRACE(c, "Sending unauthenticated request")
#define TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(c) \
TRACE(c, "Attempting optimistic preauth")
#define TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(c, patype, code) \
- TRACE(c, "Recovering from KDC error {int} using preauth mech {int}", \
- (int)patype, (int)code)
+ TRACE(c, "Recovering from KDC error {int} using preauth mech {patype}", \
+ patype, (int)code)
#define TRACE_INIT_CREDS_RESTART_FAST(c) \
TRACE(c, "Restarting to upgrade to FAST")
#define TRACE_INIT_CREDS_RESTART_PREAUTH_FAILED(c) \
@@ -290,7 +291,7 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
#define TRACE_PREAUTH_CONFLICT(c, name1, name2, patype) \
TRACE(c, "Preauth module {str} conflicts with module {str} for pa " \
- "type {int}", name1, name2, (int) patype)
+ "type {patype}", name1, name2, patype)
#define TRACE_PREAUTH_COOKIE(c, len, data) \
TRACE(c, "Received cookie: {lenstr}", (size_t) len, data)
#define TRACE_PREAUTH_ENC_TS_KEY_GAK(c, keyblock) \
@@ -302,8 +303,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
TRACE(c, "Selected etype info: etype {etype}, salt \"{data}\", " \
"params \"{data}\"", etype, salt, s2kparams)
#define TRACE_PREAUTH_INFO_FAIL(c, patype, code) \
- TRACE(c, "Preauth builtin info function failure, type={int}: {kerr}", \
- (int) patype, code)
+ TRACE(c, "Preauth builtin info function failure, type={patype}: {kerr}", \
+ patype, code)
#define TRACE_PREAUTH_INPUT(c, padata) \
TRACE(c, "Processing preauth types: {patypes}", padata)
#define TRACE_PREAUTH_OUTPUT(c, padata) \
@@ -314,8 +315,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...);
#define TRACE_PREAUTH_SAM_KEY_GAK(c, keyblock) \
TRACE(c, "AS key obtained for SAM: {keyblock}", keyblock)
#define TRACE_PREAUTH_SALT(c, salt, patype) \
- TRACE(c, "Received salt \"{data}\" via padata type {int}", salt, \
- (int) patype)
+ TRACE(c, "Received salt \"{data}\" via padata type {patype}", salt, \
+ patype)
#define TRACE_PREAUTH_SKIP(c, name, patype) \
TRACE(c, "Skipping previously used preauth module {str} ({int})", \
name, (int) patype)
diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref
index ca5818a1e..bd5d9b6b6 100644
--- a/src/lib/krb5/os/t_trace.ref
+++ b/src/lib/krb5/os/t_trace.ref
@@ -38,7 +38,7 @@ int, krb5_principal type: Windows 2000 UPN and SID
int, krb5_principal type: NT 4 style name
int, krb5_principal type: NT 4 style name and SID
int, krb5_principal type: ?
-krb5_pa_data **, display list of padata type numbers: 3, 0
+krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0
krb5_pa_data **, display list of padata type numbers: (empty)
krb5_enctype, display shortest name of enctype: des-cbc-crc
krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511
diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c
index 779f184cb..10b4f0c14 100644
--- a/src/lib/krb5/os/trace.c
+++ b/src/lib/krb5/os/trace.c
@@ -123,6 +123,50 @@ principal_type_string(krb5_int32 type)
}
}
+static char *
+padata_type_string(krb5_preauthtype type)
+{
+ switch (type) {
+ case KRB5_PADATA_TGS_REQ: return "PA-TGS-REQ";
+ case KRB5_PADATA_ENC_TIMESTAMP: return "PA-ENC-TIMESTAMP";
+ case KRB5_PADATA_PW_SALT: return "PA-PW-SALT";
+ case KRB5_PADATA_ENC_UNIX_TIME: return "PA-ENC-UNIX-TIME";
+ case KRB5_PADATA_ENC_SANDIA_SECURID: return "PA-SANDIA-SECUREID";
+ case KRB5_PADATA_SESAME: return "PA-SESAME";
+ case KRB5_PADATA_OSF_DCE: return "PA-OSF-DCE";
+ case KRB5_CYBERSAFE_SECUREID: return "PA-CYBERSAFE-SECUREID";
+ case KRB5_PADATA_AFS3_SALT: return "PA-AFS3-SALT";
+ case KRB5_PADATA_ETYPE_INFO: return "PA-ETYPE-INFO";
+ case KRB5_PADATA_SAM_CHALLENGE: return "PA-SAM-CHALLENGE";
+ case KRB5_PADATA_SAM_RESPONSE: return "PA-SAM-RESPONSE";
+ case KRB5_PADATA_PK_AS_REQ_OLD: return "PA-PK-AS-REQ_OLD";
+ case KRB5_PADATA_PK_AS_REP_OLD: return "PA-PK-AS-REP_OLD";
+ case KRB5_PADATA_PK_AS_REQ: return "PA-PK-AS-REQ";
+ case KRB5_PADATA_PK_AS_REP: return "PA-PK-AS-REP";
+ case KRB5_PADATA_ETYPE_INFO2: return "PA-ETYPE-INFO2";
+ case KRB5_PADATA_SVR_REFERRAL_INFO: return "PA-SVR-REFERRAL-INFO";
+ case KRB5_PADATA_SAM_REDIRECT: return "PA-SAM-REDIRECT";
+ case KRB5_PADATA_GET_FROM_TYPED_DATA: return "PA-GET-FROM-TYPED-DATA";
+ case KRB5_PADATA_SAM_CHALLENGE_2: return "PA-SAM-CHALLENGE2";
+ case KRB5_PADATA_SAM_RESPONSE_2: return "PA-SAM-RESPONSE2";
+ case KRB5_PADATA_PAC_REQUEST: return "PA-PAC-REQUEST";
+ case KRB5_PADATA_FOR_USER: return "PA-FOR_USER";
+ case KRB5_PADATA_S4U_X509_USER: return "PA-FOR-X509-USER";
+ case KRB5_PADATA_AS_CHECKSUM: return "PA-AS-CHECKSUM";
+ case KRB5_PADATA_FX_COOKIE: return "PA-FX-COOKIE";
+ case KRB5_PADATA_FX_FAST: return "PA-FX-FAST";
+ case KRB5_PADATA_FX_ERROR: return "PA-FX-ERROR";
+ case KRB5_PADATA_ENCRYPTED_CHALLENGE: return "PA-ENCRYPTED-CHALLENGE";
+ case KRB5_PADATA_OTP_CHALLENGE: return "PA-OTP-CHALLENGE";
+ case KRB5_PADATA_OTP_REQUEST: return "PA-OTP-REQUEST";
+ case KRB5_PADATA_OTP_PIN_CHANGE: return "PA-OTP-PIN-CHANGE";
+ case KRB5_PADATA_PKINIT_KX: return "PA-PKINIT-KX";
+ case KRB5_ENCPADATA_REQ_ENC_PA_REP: return "PA-REQ-ENC-PA-REP";
+ case KRB5_PADATA_AS_FRESHNESS: return "PA_AS_FRESHNESS";
+ default: return NULL;
+ }
+}
+
static char *
trace_format(krb5_context context, const char *fmt, va_list ap)
{
@@ -140,6 +184,8 @@ trace_format(krb5_context context, const char *fmt, va_list ap)
krb5_key key;
const krb5_checksum *cksum;
krb5_pa_data **padata;
+ krb5_preauthtype pa_type;
+ const char *name;
krb5_ccache ccache;
krb5_keytab keytab;
krb5_creds *creds;
@@ -271,10 +317,23 @@ trace_format(krb5_context context, const char *fmt, va_list ap)
if (padata == NULL || *padata == NULL)
k5_buf_add(&buf, "(empty)");
for (; padata != NULL && *padata != NULL; padata++) {
- k5_buf_add_fmt(&buf, "%d", (int)(*padata)->pa_type);
+ pa_type = (*padata)->pa_type;
+ name = padata_type_string(pa_type);
+ if (name != NULL)
+ k5_buf_add_fmt(&buf, "%s (%d)", name, (int)pa_type);
+ else
+ k5_buf_add_fmt(&buf, "%d", (int)pa_type);
+
if (*(padata + 1) != NULL)
k5_buf_add(&buf, ", ");
}
+ } else if (strcmp(tmpbuf, "patype") == 0) {
+ pa_type = va_arg(ap, krb5_preauthtype);
+ name = padata_type_string(pa_type);
+ if (name != NULL)
+ k5_buf_add_fmt(&buf, "%s (%d)", name, (int)pa_type);
+ else
+ k5_buf_add_fmt(&buf, "%d", (int)pa_type);
} else if (strcmp(tmpbuf, "etype") == 0) {
etype = va_arg(ap, krb5_enctype);
if (krb5_enctype_to_name(etype, TRUE, tmpbuf, sizeof(tmpbuf)) == 0)
diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py
index 3030322e1..1ba3536da 100755
--- a/src/tests/t_pkinit.py
+++ b/src/tests/t_pkinit.py
@@ -164,18 +164,19 @@ realm.stop_kdc()
realm.start_kdc()
# Run the basic test - PKINIT with FILE: identity, with no password on the key.
+msgs = ('Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'PKINIT client received freshness token from KDC',
+ 'PKINIT loading CA certs and CRLs from FILE',
+ 'PKINIT client making DH request',
+ ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)',
+ 'PKINIT client verified DH reply',
+ 'PKINIT client found id-pkinit-san in KDC cert',
+ 'PKINIT client matched KDC principal krbtgt/')
realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % file_identity],
- expected_trace=('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'PKINIT client received freshness token from KDC',
- 'PKINIT loading CA certs and CRLs from FILE',
- 'PKINIT client making DH request',
- 'Produced preauth for next request: 133, 16',
- 'PKINIT client verified DH reply',
- 'PKINIT client found id-pkinit-san in KDC cert',
- 'PKINIT client matched KDC principal krbtgt/'))
+ expected_trace=msgs)
realm.klist(realm.user_princ)
realm.run([kvno, realm.host_princ])
@@ -194,19 +195,19 @@ minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}}
minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf)
realm.stop_kdc()
realm.start_kdc(env=minbits_env)
-expected_trace = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Preauth module pkinit (16) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, 16',
- '/Key parameters not accepted',
- 'Preauth tryagain input types (16): 109, 133',
- 'trying again with KDC-provided parameters',
- 'Preauth module pkinit (16) tryagain returned: 0/Success',
- 'Followup preauth for next request: 16, 133')
+msgs = ('Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'Preauth module pkinit (16) (real) returned: 0/Success',
+ ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)',
+ '/Key parameters not accepted',
+ 'Preauth tryagain input types (16): 109, PA-FX-COOKIE (133)',
+ 'trying again with KDC-provided parameters',
+ 'Preauth module pkinit (16) tryagain returned: 0/Success',
+ ' preauth for next request: PA-PK-AS-REQ (16), PA-FX-COOKIE (133)')
realm.kinit(realm.user_princ,
flags=['-X', 'X509_user_identity=%s' % file_identity],
- expected_trace=expected_trace)
+ expected_trace=msgs)
# Test enforcement of required freshness tokens. (We can leave
# freshness tokens required after this test.)
diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py
index fec0bf619..efb3ea20d 100644
--- a/src/tests/t_preauth.py
+++ b/src/tests/t_preauth.py
@@ -18,15 +18,15 @@ realm.kinit('nokeyuser', password('user'), expected_code=1,
# PA-FX-COOKIE; 2 is encrypted timestamp.
# Test normal preauth flow.
-expected_trace = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- 'Decrypted AS reply')
+msgs = ('Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ 'Decrypted AS reply')
realm.run(['./icred', realm.user_princ, password('user')],
- expected_msg='testval', expected_trace=expected_trace)
+ expected_msg='testval', expected_trace=msgs)
# Test successful optimistic preauth.
expected_trace = ('Attempting optimistic preauth',
@@ -39,136 +39,136 @@ realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')],
# Test optimistic preauth failing on client, followed by successful
# preauth using the same module.
-expected_trace = ('Attempting optimistic preauth',
- 'Processing preauth types: -123',
- '/induced optimistic fail',
- 'Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- 'Decrypted AS reply')
+msgs = ('Attempting optimistic preauth',
+ 'Processing preauth types: -123',
+ '/induced optimistic fail',
+ 'Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ 'Decrypted AS reply')
realm.run(['./icred', '-o', '-123', '-X', 'fail_optimistic', realm.user_princ,
password('user')], expected_msg='testval',
- expected_trace=expected_trace)
+ expected_trace=msgs)
# Test optimistic preauth failing on KDC, followed by successful preauth
# using the same module.
realm.run([kadminl, 'setstr', realm.user_princ, 'failopt', 'yes'])
-expected_trace = ('Attempting optimistic preauth',
- 'Processing preauth types: -123',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: -123',
- '/Preauthentication failed',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- 'Decrypted AS reply')
+msgs = ('Attempting optimistic preauth',
+ 'Processing preauth types: -123',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: -123',
+ '/Preauthentication failed',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ 'Decrypted AS reply')
realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')],
- expected_msg='testval', expected_trace=expected_trace)
+ expected_msg='testval', expected_trace=msgs)
realm.run([kadminl, 'delstr', realm.user_princ, 'failopt'])
# Test KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies.
realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip'])
-expected_trace = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- '/More preauthentication data is required',
- 'Continuing preauth mech -123',
- 'Processing preauth types: -123, 133',
- 'Produced preauth for next request: 133, -123',
- 'Decrypted AS reply')
+msgs = ('Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ '/More preauthentication data is required',
+ 'Continuing preauth mech -123',
+ 'Processing preauth types: -123, PA-FX-COOKIE (133)',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ 'Decrypted AS reply')
realm.run(['./icred', realm.user_princ, password('user')],
- expected_msg='2rt: secondtrip', expected_trace=expected_trace)
+ expected_msg='2rt: secondtrip', expected_trace=msgs)
# Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,
# falling back to encrypted timestamp.
-expected_trace = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- '/More preauthentication data is required',
- 'Continuing preauth mech -123',
- 'Processing preauth types: -123, 133',
- '/induced 2rt fail',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Encrypted timestamp (for ',
- 'module encrypted_timestamp (2) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, 2',
- 'Decrypted AS reply')
+msgs = ('Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ '/More preauthentication data is required',
+ 'Continuing preauth mech -123',
+ 'Processing preauth types: -123, PA-FX-COOKIE (133)',
+ '/induced 2rt fail',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Encrypted timestamp (for ',
+ 'module encrypted_timestamp (2) (real) returned: 0/Success',
+ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
+ 'Decrypted AS reply')
realm.run(['./icred', '-X', 'fail_2rt', realm.user_princ, password('user')],
- expected_msg='2rt: secondtrip', expected_trace=expected_trace)
+ expected_msg='2rt: secondtrip', expected_trace=msgs)
# Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED,
# falling back to encrypted timestamp.
realm.run([kadminl, 'setstr', realm.user_princ, 'fail2rt', 'yes'])
-expected_trace = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- '/More preauthentication data is required',
- 'Continuing preauth mech -123',
- 'Processing preauth types: -123, 133',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- '/Preauthentication failed',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Encrypted timestamp (for ',
- 'module encrypted_timestamp (2) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, 2',
- 'Decrypted AS reply')
+msgs = ('Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ '/More preauthentication data is required',
+ 'Continuing preauth mech -123',
+ 'Processing preauth types: -123, PA-FX-COOKIE (133)',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ '/Preauthentication failed',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Encrypted timestamp (for ',
+ 'module encrypted_timestamp (2) (real) returned: 0/Success',
+ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
+ 'Decrypted AS reply')
realm.run(['./icred', realm.user_princ, password('user')],
- expected_msg='2rt: secondtrip', expected_trace=expected_trace)
+ expected_msg='2rt: secondtrip', expected_trace=msgs)
realm.run([kadminl, 'delstr', realm.user_princ, 'fail2rt'])
# Test tryagain flow by inducing a KDC_ERR_ENCTYPE_NOSUPP error on the KDC.
realm.run([kadminl, 'setstr', realm.user_princ, 'err', 'testagain'])
-expected_trace = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- '/KDC has no support for encryption type',
- 'Recovering from KDC error 14 using preauth mech -123',
- 'Preauth tryagain input types (-123): -123, 133',
- 'Preauth module test (-123) tryagain returned: 0/Success',
- 'Followup preauth for next request: -123, 133',
- 'Decrypted AS reply')
+msgs = ('Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ '/KDC has no support for encryption type',
+ 'Recovering from KDC error 14 using preauth mech -123',
+ 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)',
+ 'Preauth module test (-123) tryagain returned: 0/Success',
+ 'Followup preauth for next request: -123, PA-FX-COOKIE (133)',
+ 'Decrypted AS reply')
realm.run(['./icred', realm.user_princ, password('user')],
- expected_msg='tryagain: testagain', expected_trace=expected_trace)
+ expected_msg='tryagain: testagain', expected_trace=msgs)
# Test a client-side tryagain failure, falling back to encrypted
# timestamp.
-expected_trace = ('Sending unauthenticated request',
- '/Additional pre-authentication required',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Preauth module test (-123) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, -123',
- '/KDC has no support for encryption type',
- 'Recovering from KDC error 14 using preauth mech -123',
- 'Preauth tryagain input types (-123): -123, 133',
- '/induced tryagain fail',
- 'Preauthenticating using KDC method data',
- 'Processing preauth types:',
- 'Encrypted timestamp (for ',
- 'module encrypted_timestamp (2) (real) returned: 0/Success',
- 'Produced preauth for next request: 133, 2',
- 'Decrypted AS reply')
+msgs = ('Sending unauthenticated request',
+ '/Additional pre-authentication required',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Preauth module test (-123) (real) returned: 0/Success',
+ 'Produced preauth for next request: PA-FX-COOKIE (133), -123',
+ '/KDC has no support for encryption type',
+ 'Recovering from KDC error 14 using preauth mech -123',
+ 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)',
+ '/induced tryagain fail',
+ 'Preauthenticating using KDC method data',
+ 'Processing preauth types:',
+ 'Encrypted timestamp (for ',
+ 'module encrypted_timestamp (2) (real) returned: 0/Success',
+ 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)',
+ 'Decrypted AS reply')
realm.run(['./icred', '-X', 'fail_tryagain', realm.user_princ,
- password('user')], expected_trace=expected_trace)
+ password('user')], expected_trace=msgs)
# Test that multiple stepwise initial creds operations can be
# performed with the same krb5_context, with proper tracking of

27
Report-extended-errors-in-kinit-k-t-KDB.patch Normal file
View File

@ -0,0 +1,27 @@
From b3b5cf3d57ac2889aeab82a79a6ea967c1412eb6 Mon Sep 17 00:00:00 2001
From: Greg Hudson <ghudson@mit.edu>
Date: Sat, 17 Mar 2018 22:47:34 -0400
Subject: [PATCH] Report extended errors in kinit -k -t KDB:
In kinit, if we recreate the context using kinit_kdb_init(), also
reset the global errctx so that we use the new context to retrieve
extended error messages.
ticket: 8652 (new)
(cherry picked from commit d4d902d317a2acc46ee71094a33a9203b6135275)
---
src/clients/kinit/kinit.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index a518284ea..3fdae2878 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -718,6 +718,7 @@ k5_kinit(struct k_opts *opts, struct k5_data *k5)
#ifndef _WIN32
if (strncmp(opts->keytab_name, "KDB:", 4) == 0) {
ret = kinit_kdb_init(&k5->ctx, k5->me->realm.data);
+ errctx = k5->ctx;
if (ret) {
com_err(progname, ret,
_("while setting up KDB keytab for realm %s"),

10
krb5.spec
View File

@ -18,7 +18,7 @@ Summary: The Kerberos network authentication system
Name: krb5 Name: krb5
Version: 1.16 Version: 1.16
# for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces) # for prerelease, should be e.g., 0.% {prerelease}.1% { ?dist } (without spaces)
Release: 11%{?dist} Release: 12%{?dist}
# lookaside-cached sources; two downloads and a build artifact # lookaside-cached sources; two downloads and a build artifact
Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz Source0: https://web.mit.edu/kerberos/dist/krb5/1.16/krb5-%{version}%{prerelease}.tar.gz
@ -71,6 +71,10 @@ Patch44: Refactor-KDC-krb5_pa_data-utility-functions.patch
Patch45: Simplify-kdc_preauth.c-systems-table.patch Patch45: Simplify-kdc_preauth.c-systems-table.patch
Patch46: Add-PKINIT-client-support-for-freshness-token.patch Patch46: Add-PKINIT-client-support-for-freshness-token.patch
Patch47: Add-PKINIT-KDC-support-for-freshness-token.patch Patch47: Add-PKINIT-KDC-support-for-freshness-token.patch
Patch48: Allow-validation-of-PACs-with-enterprise-names.patch
Patch49: Fix-read-overflow-in-KDC-sort_pa_data.patch
Patch50: Include-preauth-name-in-trace-output-if-possible.patch
Patch51: Report-extended-errors-in-kinit-k-t-KDB.patch
License: MIT License: MIT
URL: http://web.mit.edu/kerberos/www/ URL: http://web.mit.edu/kerberos/www/
@ -720,6 +724,10 @@ exit 0
%{_libdir}/libkadm5srv_mit.so.* %{_libdir}/libkadm5srv_mit.so.*
%changelog %changelog
* Tue Mar 20 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-12
- Log preauth names in trace output
- Misc bugfixes from upstream
* Mon Mar 19 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-11 * Mon Mar 19 2018 Robbie Harwood <rharwood@redhat.com> - 1.16-11
- Add PKINIT KDC support for freshness token - Add PKINIT KDC support for freshness token