[OpenAFS] Re: Heimdal KDC bug mentioned in rekeying document

Sergio Gelato Sergio.Gelato@astro.su.se
Thu, 25 Jul 2013 19:12:11 +0200

* Andrew Deason [2013-07-25 10:03:18 -0500]:
> On Thu, 25 Jul 2013 09:11:38 -0400 (EDT)
> stephen@physics.unc.edu wrote:
> > In the cell rekeying instructions found at
> > <http://openafs.org/pages/security/how-to-rekey.txt>, there is a note
> > for sites using Heimdal KDCs. It mentions a bug present in "certain
> > versions" of the Heimdal KDC software which completely disables DES on
> > the AFS service principal when following the document's instructions.
> > 
> > Is more information available about specific versions of the Heimdal
> > KDC software which exhibits this bug? The document mentions
> > experimentally verifying ticket acquisition, which seems wise. But
> > also knowing the KDC versions which have the bug would be beneficial.
> Sorry about that; this was raised very shortly before the issue became
> public; I wanted this note to be in there even if we couldn't provide
> full information, so you would be aware that _something_ was wrong with
> this.
> Allegedly it exists in 1.4 and possibly all earlier versions, and is
> fixed somewhere around 1.5. However, it has apparently been fixed
> reintroduced a couple of times, so I'm not sure if such a simple
> versions range is accurate. All I've actually verified so far is that it
> definitely is a problem on Debian's 1.4.0~git20100726.dfsg.1-2+squeeze1.

I've been poking a bit into this. First of all, let's make sure I don't
misunderstand your expectation here: do you want the KDC to be willing to
issue a ticket with a des-cbc-crc session key (as requested by old aklog)
even though the afs service principal does not have that enctype? Or are
we Heimdal users expected to add that enctype to afs/cell whenever we
rekey? The latter works with the Heimdal KDCs I've tried (the pre-1.4.0
from Debian squeeze and the pre-1.6 from Debian wheezy), the former doesn't.

The relevant code seems to be in kdc/kerberos5.c:_kdc_find_etype(). It was
reworked in 2011, largely by Nico Williams, to use a new session key enctype
selection algorithm (controlled by {tgt,svc,preauth}-use-strongest-session-key
in krb5.conf, and now on by default) as an alternative to the old one. The
old code, which the comments claim conforms to RFC4120, still cannot select
an enctype that isn't in the intersection of the principal's and the client's
lists. The new code looks like it should (provided that allow_weak_crypto=true
for the KDC; the _kdc_is_weak_exception() mechanism won't help here) as a
last resort, except it forgets to set ret=0 in the relevant code path
(after "enctype = clientbest;"). It looks like the bug might still be there
at the tip of the master branch as of this writing. I'll try to test my
putative fix later tonight.