[19775] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: krbdev Digest, Vol 186, Issue 6

daemon@ATHENA.MIT.EDU (Joshua Acosta)
Wed Jul 11 11:38:34 2018

MIME-Version: 1.0
In-Reply-To: <mailman.195.1529424036.4894.krbdev@mit.edu>
From: Joshua Acosta <joshuacosta6@gmail.com>
Date: Wed, 11 Jul 2018 17:38:09 +0200
Message-ID: <CAB2Uq9=qchr9fJHkkNQaG4R=nhyN_HkXaoSoKuVpK-hCkFxM9A@mail.gmail.com>
To: krbdev@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit

Hi Greg,

I'm very sorry for delay. We have been retrieving the most cleary
information that we can offer to you.

Let's go.

- The environment
  =============
  PC with Kerberos for Windows 4.1 & IBM Host ZOs
  Account in IBM Host with password expiration


- First test
  =======
  kinit with comand, result OK

The commands are:
c:\program files\mit\kerberos\bin\kinit it00046@PGME.DESE
Password for it00046@PGME.DESE:
Password expired. You must change it now.
Enter new password:

The behaviour is OK.

The info that offers WireShark is:

1 Computer -> Host: AS-REQ
2 Host -> Computer: KRB Error: KRB5KDC_ERR_KEY_EXP
3 Computer -> Host: AS-REQ
4 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
5 Computer -> Host: AS-REQ
6 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
7 Computer -> Host: AS-REQ
8 Host -> Computer: AS-REP

The steps 1-6 ocurrs when we do "kinit it00046@PGME.DESE".
Steps 7-8 at "Password for ...".


The ZOs debug's info at point 7/8 (AS-REQ/AS-REP) is:

 180711 13:51:07 (00000001) DBG8 KRB/KRB_CRYPTO k5_aes_decrypt(): Software
AES256 decryption performed for 44 bytes
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_decrypt_int(): <--
krb5_c_decrypt_int(1): Status 0x0
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_make_random_key():
--> krb5_c_make_random_key(): Enctype 18
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL
crypto_generate_random_bytes(): --> crypto_generate_random_bytes(): Length
32
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL
crypto_generate_random_bytes(): <-- crypto_generate_random_bytes(1): Status
0x0
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_make_random_key():
<-- krb5_c_make_random_key(1): Status 0x0
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_encrypt_length():
--> krb5_c_encrypt_length(): Enctype 18, Length 166
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_encrypt_length():
<-- krb5_c_encrypt_length(1): Status 0x0, Encrypted length
 180711 13:51:07 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_encrypt_int(): -->
krb5_c_encrypt_int(): Enctype 18, Usage 2, Length 166
... <very more lines but all ok>


- Second test
  =========
  kinit with leash_kinit, result KO

Code program:

result = Leash_kinit((char *)User.c_str(), (char *)Password.c_str(),
(int)P_LifeTime);

WireShark info's:

1 Computer -> Host: AS-REQ
2 Host -> Computer: KRB Error: KRB5KDC_ERR_KEY_EXP
3 Computer -> Host: AS-REQ
4 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_FAILED
5 Computer -> Host: AS-REQ
6 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_REQUIRED
7 Computer -> Host: AS-REQ
8 Host -> Computer: KRB Error: KRB5KDC_ERR_PREAUTH_FAILED (!)


The ZOs debug's info at point 7/8 (AS-REQ with preauth fail) is:

180711 13:51:56 (00000001) DBG8 KRB/KRB_CRYPTO k5_aes_decrypt(): Software
AES256 decryption performed for 44 bytes
180711 13:51:56 (00000001) DBG1 KRB/KRB_GENERAL krb5_c_decrypt_int(): <--
krb5_c_decrypt_int(1): Status 0x96c73a1f (!)
 180711 13:51:56 (00000001) DBG6 KDC/KRB_KDC kdc_preauth_timestamp():
PREAUTH: krb5_c_decrypt_int() failed: Status 0x96c73a1f
 180711 13:51:56 (00000001) DBG6 KDC/KRB_KDC kdc_as_process_request():
AS_REQ: kdc_preauth_process_padata() failed: Status 0x18
 180711 13:51:56 (00000001) DBG8 KDC/KRB_KDC kdc_audit_login(): RACF: Audit
AS_REQ for pg807002: Function 2
 EUVF04039W Kerberos login failed for pg807002@PGME.DESE at
10.120.232.18:63980: KDC status 0x96c73a18 - Preauthentication failed.
 180711 13:51:56 (00000001) DBG1 KDC/KRB_KDC kdc_as_process_request():
AS_REQ: KDC error 24 processing request from pg807002@PGME.DES


Do you think that leash_kinit make a bad encryptation in the AS-REQ?, maybe
a problem with timestamp?.

More info: the only diference that we have found in the conversation
between the partners is that in "ok case", at first AS-REQ (point 1), the
kdc-options are "renewable-ok", in the wrong case are
"forwardable,renewable". The rest are exactly equal.



Thanks in advance.
Josep Maria.


El mar., 19 jun. 2018 a las 18:00, <krbdev-request@mit.edu> escribió:

> Send krbdev mailing list submissions to
>         krbdev@mit.edu
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mailman.mit.edu/mailman/listinfo/krbdev
> or, via email, send a message with subject or body 'help' to
>         krbdev-request@mit.edu
>
> You can reach the person managing the list at
>         krbdev-owner@mit.edu
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of krbdev digest..."
>
>
> Today's Topics:
>
>    1. Re: obscured error code (was Re: krbdev Digest, Vol 186,
>       Issue 4) (Greg Hudson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 18 Jun 2018 12:25:58 -0400
> From: Greg Hudson <ghudson@mit.edu>
> Subject: Re: obscured error code (was Re: krbdev Digest, Vol 186,
>         Issue 4)
> To: Joshua Acosta <joshuacosta6@gmail.com>, krbdev@mit.edu
> Message-ID: <39b95f13-4992-75d3-7aff-e575450cebf9@mit.edu>
> Content-Type: text/plain; charset=utf-8; format=flowed
>
> On 06/18/2018 07:21 AM, Joshua Acosta wrote:
> > The problem that we have is when we demand a ticket TGT of a user that is
> > in "renewal state", the function leash_kinit doesn't inform about this
> > situacion, that has a return code KRB5KDC_ERR_KEY_EXP, instead of this
> > value the code returned is KRB5KDC_ERR_PREAUTH_FAILED.
> >
> > We are "sniffing" the conversation between client and Host IBM and can
> see
> > that the error of key expired is fired, but is hiding by the next error:
> > preauth fail.
>
> Can you share more details of the packet trace?  I do not know
> immediately know why the exchange would not end at the
> KRB5KDC_ERR_KEY_EXP response and yield that error code.
>
>
> ------------------------------
>
> _______________________________________________
> krbdev mailing list
> krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
> End of krbdev Digest, Vol 186, Issue 6
> **************************************
>
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev


home help back first fref pref prev next nref lref last post