[OpenAFS] klog.krb creates invalid K4 ticket files on x86_64 Linuxes
Rainer Toebbicke
rtb@pclella.cern.ch
Thu, 09 Aug 2007 11:46:32 +0200
This is a multi-part message in MIME format.
--------------010607040009070101080405
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
At the danger of being considered back-level:
on x86_64 the klog.krb program (and in fact the whole libauth library)
creates "invalid" Kerberos 4 ticket files.
[the word "invalid" may be contentious - some consider krb4 support in
MIT kerberos 5 buggy... nevertheless:]
AFS defines the "issue-date" in the ticket file alike the token
"startTime" to be an afs_int32, whereas krb4 in MIT Kerberos 5
considers it a "long". Problems hence arise on platforms where long !=
afs_int32 - krb4-aware applications such as cvs fail because of
invalid tickets.
This is of course an issue only for very conservative installations -
replacing klog.krb by Heimdal kinit or a MIT-kinit+aklog+krb524init
script is a reasonable bypass.
Could something break? KTH Kerberos and hence Heimdal with Krb4 used
to consider this field a hard 32 bit as well, Debian sarge users
*could* run into problems but AFAIK there is no sarge for amd64 and
anyway they would use "kinit" and not klog.krb.
Patch attached and Bcc'ed to openafs-bugs.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Rainer Toebbicke
European Laboratory for Particle Physics(CERN) - Geneva, Switzerland
Phone: +41 22 767 8985 Fax: +41 22 767 7155
--------------010607040009070101080405
Content-Type: text/plain;
name="p_klog_tf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="p_klog_tf"
--- openafs/src/kauth/krb_tf.c.o144 2003-07-16 01:15:17.000000000 +0200
+++ openafs/src/kauth/krb_tf.c 2007-08-03 11:42:44.000000000 +0200
@@ -84,6 +84,7 @@
char *tf_name;
struct ktc_principal client, server;
struct ktc_token token;
+ long mit_compat; /* MIT Kerberos 5 with Krb4 uses a "long" for issue_date */
if ((strlen(realm) >= sizeof(client.cell)))
return KABADNAME;
@@ -149,8 +150,9 @@
if (write(fd, (char *)(token.ticket), count) != count)
goto bad;
/* Issue date */
- if (write(fd, (char *)&token.startTime, sizeof(afs_int32))
- != sizeof(afs_int32))
+ mit_compat = token.startTime;
+ if (write(fd, (char *)&mit_compat, sizeof(mit_compat))
+ != sizeof(mit_compat))
goto bad;
close(fd);
return 0;
--- openafs/src/auth/ktc.c.o144 2007-08-03 14:22:59.000000000 +0200
+++ openafs/src/auth/ktc.c 2007-08-03 14:27:54.000000000 +0200
@@ -1163,6 +1163,7 @@
{
int k_errno;
int kvno, lifetime;
+ long mit_compat; /* MIT Kerberos 5 with Krb4 uses a "long" for issue_date */
if (fd < 0) {
return TKT_FIL_INI;
@@ -1199,10 +1200,10 @@
/* don't try to read a silly amount into ticket->dat */
token->ticketLen > MAXKTCTICKETLEN
|| tf_read((char *)(token->ticket), token->ticketLen) < 1
- || tf_read((char *)&(token->startTime),
- sizeof(token->startTime)) < 1) {
+ || tf_read((char *)&mit_compat, sizeof(mit_compat)) < 1) {
return TKT_FIL_FMT;
}
+ token->startTime = mit_compat;
token->endTime = life_to_time(token->startTime, lifetime);
token->kvno = kvno;
return 0;
@@ -1330,6 +1331,7 @@
off_t start;
int lifetime, kvno;
int count; /* count for write */
+ long mit_compat; /* MIT Kerberos 5 with Krb4 uses a "long" for issue_date */
if (fd < 0) { /* fd is ticket file as set by afs_tf_init */
return TKT_FIL_INI;
@@ -1399,8 +1401,9 @@
if (write(fd, atoken->ticket, count) != count)
goto bad;
/* Issue date */
- if (write(fd, (char *)&atoken->startTime, sizeof(afs_int32))
- != sizeof(afs_int32))
+ mit_compat = atoken->startTime;
+ if (write(fd, (char *)&mit_compat, sizeof(mit_compat))
+ != sizeof(mit_compat))
goto bad;
/* Actually, we should check each write for success */
--------------010607040009070101080405--