HELP!! invalid AS-REP from Linux running MIT Kerberos V5 - Kerberos

This is a discussion on HELP!! invalid AS-REP from Linux running MIT Kerberos V5 - Kerberos ; Hello, Please help us! We are having a problem when processing AS-REP received from our KDC in Linux environment. Our Linux Configuration ================== We are running a standard Fedora 5 distribution. The kernel version is: Linux version 2.6.17-1.2139_FC5 (brewbuilder@hs20-bc2-4.build.redhat.com) We ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: HELP!! invalid AS-REP from Linux running MIT Kerberos V5

  1. HELP!! invalid AS-REP from Linux running MIT Kerberos V5

    Hello,

    Please help us!

    We are having a problem when processing AS-REP received from our KDC in
    Linux environment.

    Our Linux Configuration
    ==================
    We are running a standard Fedora 5 distribution.
    The kernel version is:
    Linux version 2.6.17-1.2139_FC5
    (brewbuilder@hs20-bc2-4.build.redhat.com)
    We are running an MIT Kerberos V5 KDC, installed using the package:
    krb5-server - 1.4.3-4.1.i386.

    We have a Kerberos client application that runs under Windows. The
    client application sent a valid AS-REQ to our KDC in Linux.
    The KDC successfully processed it and sent back AS-REP to our client
    application. However, when our application successfully decrypts
    The 'enc-part' field of AS-REP, it is of type EncTGSRepPart (application
    26) instead of being of type EncASRepPart (application 25)
    as described in section 5.4.2 of RFC 1510 http://rfc.net/rfc1510.html .
    It seems like the AS-REP from our Linux is not conforming
    to RFC.

    Our application currently has to work for both Windows and Linux and
    when receiving AS-REP from Windows, we are getting a
    correct application type (i.e. EncASRepPart). Could you please tell us
    if you have seen this problem and if so, how to resolve it?

    As a test, I changed our application to accept application 26 as valid
    one for AS-REP and was able to process AS-REP completely
    and extract TGT and the key. However, the way our application is
    written, it can't accept both so we need to see why our KDC in
    Linux is giving us the wrong type.

    Thank you in advance and hope to hear from someone out there very soon!
    Eliza


    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  2. Re: HELP!! invalid AS-REP from Linux running MIT Kerberos V5

    >>>>> "Eliza" == Khosrova, Eliza writes:

    Eliza> We have a Kerberos client application that runs under Windows. The
    Eliza> client application sent a valid AS-REQ to our KDC in Linux.
    Eliza> The KDC successfully processed it and sent back AS-REP to our client
    Eliza> application. However, when our application successfully decrypts
    Eliza> The 'enc-part' field of AS-REP, it is of type EncTGSRepPart (application
    Eliza> 26) instead of being of type EncASRepPart (application 25)
    Eliza> as described in section 5.4.2 of RFC 1510 http://rfc.net/rfc1510.html .
    Eliza> It seems like the AS-REP from our Linux is not conforming
    Eliza> to RFC.

    Please see RFC 4120, Section 5.4.2. It explains exactly this
    situation.

    ---Tom
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: HELP!! invalid AS-REP from Linux running MIT Kerberos V5

    "Khosrova, Eliza" writes:
    > Subject: HELP!! invalid AS-REP from Linux running MIT Kerberos V5
    > Date: Tue, 11 Jul 2006 13:32:44 -0700
    > Message-ID: <02954887D466F24D9F3FC9F47466DEF0075DA258@cdaexchan ge.sc.rd.canon.com>
    > From: "Khosrova, Eliza"
    > To:
    >
    > Hello,
    >
    > Please help us!
    >
    > We are having a problem when processing AS-REP received from our KDC in
    > Linux environment.
    >
    > Our Linux Configuration
    > ==================
    > We are running a standard Fedora 5 distribution.
    > The kernel version is:
    > Linux version 2.6.17-1.2139_FC5
    > (brewbuilder@hs20-bc2-4.build.redhat.com)
    > We are running an MIT Kerberos V5 KDC, installed using the package:
    > krb5-server - 1.4.3-4.1.i386.
    >
    > We have a Kerberos client application that runs under Windows. The
    > client application sent a valid AS-REQ to our KDC in Linux.
    > The KDC successfully processed it and sent back AS-REP to our client
    > application. However, when our application successfully decrypts
    > The 'enc-part' field of AS-REP, it is of type EncTGSRepPart (application
    > 26) instead of being of type EncASRepPart (application 25)
    > as described in section 5.4.2 of RFC 1510 http://rfc.net/rfc1510.html .
    > It seems like the AS-REP from our Linux is not conforming
    > to RFC.
    >
    > Our application currently has to work for both Windows and Linux and
    > when receiving AS-REP from Windows, we are getting a
    > correct application type (i.e. EncASRepPart). Could you please tell us
    > if you have seen this problem and if so, how to resolve it?
    >
    > As a test, I changed our application to accept application 26 as valid
    > one for AS-REP and was able to process AS-REP completely
    > and extract TGT and the key. However, the way our application is
    > written, it can't accept both so we need to see why our KDC in
    > Linux is giving us the wrong type.
    >
    > Thank you in advance and hope to hear from someone out there very soon!
    > Eliza


    cool problem. I'll bet there's some interesting history there.

    MIT kerberos source has these interesting comments:
    src/lib/krb5/asn.1/krbasn1.h
    /*
    * Older versions of the Kerberos are always sending the
    * enc_kdc_rep_part structure with an application tag of #26, instead
    * of using the application tag of #25 (AS REP) or #26 (AS REP) as
    * necessary. Worse yet, they will only accept a tag of #26, so we
    * need to follow this for backwards compatibility. #defining
    * KRB5_ENCKRB5KDCREPPART_COMPAT will preserve this wrong (but
    * compatible) behavior.
    */
    #define KRB5_ENCKRB5KDCREPPART_COMPAT

    and
    src/lib/krb5/asn.1/krb5_encode.c
    #ifdef KRB5_ENCKRB5KDCREPPART_COMPAT
    krb5_apptag(26);
    #else
    /* XXX WRONG!!! Should use 25 || 26, not the outer KDC_REP tags! */
    if (rep->msg_type == KRB5_AS_REP) { krb5_apptag(ASN1_KRB_AS_REP); }
    else if (rep->msg_type == KRB5_TGS_REP) { krb5_apptag(ASN1_KRB_TGS_REP); }
    else return KRB5_BADMSGTYPE;
    #endif

    Looks like it's working as coded. All of this logic appears to have
    been in MIT since at least kerberos "1.0" in, um, 1995 --presumably
    the older clients mentioned in the comment ought not be there anymore
    so KRB5_ENCKRB5KDCREPPART_COMPAT could be not defined.

    Out of curiosity, why wouldn't you let your kerberos library there
    do the equivalent of krb5_get_in_tkt or krb5_get_init_creds ?
    If you're doing decode_krb5_as_rep or decode_krb5_enc_kdc_rep_part,
    or checking enc_part2->msg_type, that seems wrong...

    -Marcus Watts
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  4. Re: HELP!! invalid AS-REP from Linux running MIT Kerberos V5



    On Tuesday, July 11, 2006 07:20:18 PM -0400 Marcus Watts
    wrote:

    > Looks like it's working as coded. All of this logic appears to have
    > been in MIT since at least kerberos "1.0" in, um, 1995 --presumably
    > the older clients mentioned in the comment ought not be there anymore
    > so KRB5_ENCKRB5KDCREPPART_COMPAT could be not defined.


    Last I checked, we actually had such broken clients _deployed_, in the form
    of Cisco terminal servers. We run a Heimdal KDC, which has a configuration
    option to control this behavior. We have to have it set to the
    non-compliant mode, because of the broken clients.

    -- Jeff
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


+ Reply to Thread