[OpenAFS] Heimdal KDC bug mentioned in rekeying document

Ragnar Sundblad ragge@csc.kth.se
Fri, 26 Jul 2013 11:43:57 +0200


On 26 jul 2013, at 10:57, Sergio Gelato <Sergio.Gelato@astro.su.se> =
wrote:

> * Andrew Deason [2013-07-25 14:35:58 -0500]:
>> On Thu, 25 Jul 2013 15:22:50 -0400 (EDT)
>> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>>=20
>>> On Thu, 25 Jul 2013, Sergio Gelato wrote:
>>>=20
>>>> I've been poking a bit into this. First of all, let's make sure I
>>>> don't misunderstand your expectation here: do you want the KDC to =
be
>>>> willing to issue a ticket with a des-cbc-crc session key (as
>>>> requested by old aklog) even though the afs service principal does
>>>> not have that enctype?
>>=20
>> That was the idea. But that doesn't work, as you've seen. Sorry about
>> that; we were trying a lot of different KDC/configuration
>> combinations...
>>=20
>>>> Or are we Heimdal users expected to add that enctype to afs/cell
>>>> whenever we rekey?
>>=20
>> That appears to be what you'll need to do, unless you can change the
>> KDC's behavior.
>=20
> I've now succeeeded in changing the KDC's behavior.
>=20
> First of all, Heimdal's krb5.conf(5) man page states the wrong =
defaults
> (I've reported this bug). [kdc]svc-use-strongest-session-key is false =
by
> default, toggle it if you want to use the new session key selection
> algorithm.
>=20
> Secondly, the following patch is required:
> --- a/kdc/kerberos5.c
> +++ b/kdc/kerberos5.c
> @@ -183,9 +183,10 @@
> 	    }
> 	}
> 	if (clientbest !=3D (krb5_enctype)ETYPE_NULL &&
> -	    enctype =3D=3D (krb5_enctype)ETYPE_NULL)
> +	    enctype =3D=3D (krb5_enctype)ETYPE_NULL) {
> 	    enctype =3D clientbest;
> -	else if (enctype =3D=3D (krb5_enctype)ETYPE_NULL)
> +	    ret =3D 0;
> +	} else if (enctype =3D=3D (krb5_enctype)ETYPE_NULL)
> 	    ret =3D KRB5KDC_ERR_ETYPE_NOSUPP;
> 	if (ret =3D=3D 0 && ret_enctype !=3D NULL)
> 	    *ret_enctype =3D enctype;
>=20
> I'll submit it to heimdal-bugs for consideration.

I believe you should change the test to also check that ret_key =3D=3D =
NULL:
        if (clientbest !=3D ETYPE_NULL && enctype =3D=3D ETYPE_NUL && =
ret_key =3D=3D NULL) {
            enctype =3D clientbest;
            ret =3D 0;
	}
since if there is no common key-type, key will be NULL, and the later
        if (ret =3D=3D 0 && ret_key !=3D NULL)
            *ret_key =3D key;
will return a NULL pointer.

Does your change really work as expected? (I am a bit surprised,
since in krb5tgs.c:tgs_build_reply() the result of the enctype is
ignored and the key is the one used (strangely!).

But maybe I read it incorrectly, it is a bit... involved...

/ragge