directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Zheng, Kai" <kai.zh...@intel.com>
Subject RE: Kerby GSS tests?
Date Thu, 23 Apr 2015 09:53:23 GMT
It may be caused by bad backend? What’s backend you used? I thought two keys should be the
same anyway.

From: Zheng, Kai
Sent: Thursday, April 23, 2015 5:52 PM
To: 'coheigea@apache.org'
Cc: Apache Directory Developers List
Subject: RE: Kerby GSS tests?

Hi Colm,

Oh bad, looks like the key use to issue ticket isn’t the same one to decrypt it in TgsRequest
processing. The encryption type should be the same, right, but then why we two different key
values or keys?
Would you debug more? Thanks.

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Thursday, April 23, 2015 5:38 PM
To: Zheng, Kai
Cc: Apache Directory Developers List
Subject: Re: Kerby GSS tests?

Hi Kai,
The two keys are not the same. They have the same encoding length + kvno + tagno, but different
byte[] content.
Colm.

On Wed, Apr 22, 2015 at 5:05 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
Hi Colm,

It looks strange to me.
Would you debug and check the two keys are the same in that place and the other place in KDC
side KdcRequest:400:
EncryptedData encryptedData = EncryptionUtil.seal(encTicketPart,
        serverKey, KeyUsage.KDC_REP_TICKET);

Thanks. I’m going to sleep now. See you tomorrow.

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
Sent: Wednesday, April 22, 2015 11:15 PM
To: Apache Directory Developers List
Subject: Re: Kerby GSS tests?

Hi Kai,
I get the same error (decryption error) with this patch.
Colm.

On Wed, Apr 22, 2015 at 3:57 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
Hi Colm,

The fix would be as follows. Would you verify and commit it if OK? Thanks.

-        EncryptionType encType = getKdcReq().getReqBody().getEtypes().listItera
-        EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
-
         Ticket ticket = apReq.getTicket();
+        EncryptionType encType = ticket.getEncryptedEncPart().getEType();
+        EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
         if (ticket.getTktvno() != KrbConstant.KRB_V5) {
             throw new KrbException(KrbErrorCode.KRB_AP_ERR_BADVERSION);
         }

From: Zheng, Kai [mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>]
Sent: Wednesday, April 22, 2015 10:46 PM

To: coheigea@apache.org<mailto:coheigea@apache.org>
Cc: Apache Directory Developers List
Subject: RE: Kerby GSS tests?

>> Are we sure that the tgsKey above is the right key to decrpyt the request?
Yes, the ticket there to decrypt is actually for TGS to interpret and validate, a tgs key
should be used. I’m still thinking about how to get the encryption type right. It’s a
certain one this time.

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Wednesday, April 22, 2015 10:01 PM
To: Zheng, Kai
Cc: Apache Directory Developers List
Subject: Re: Kerby GSS tests?


Looks good thanks! The next problem is an NPE in EncryptionHandler. This is caused by a similar
issue to before:

--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server/request/TgsRequest.java
@@ -73,9 +73,14 @@ public class TgsRequest extends KdcRequest {
             throw new KrbException(KrbErrorCode.KRB_AP_ERR_MSG_TYPE);
         }

-        EncryptionType encType = getKdcReq().getReqBody().getEtypes().listIterator().next();
-        EncryptionKey tgsKey = getTgsEntry().getKeys().get(encType);
-
+        EncryptionKey tgsKey = null;
+        for (EncryptionType encType : getKdcReq().getReqBody().getEtypes()) {
+            if (getTgsEntry().getKeys().containsKey(encType)) {
+                tgsKey = getTgsEntry().getKeys().get(encType);
+                break;
+            }
+        }
+
However, this patch results in the error:

org.apache.kerby.kerberos.kerb.KrbException: Integrity check on decrypted field failed
    at org.apache.kerby.kerberos.kerb.crypto.enc.KeKiEnc.decryptWith(KeKiEnc.java:116)
    at org.apache.kerby.kerberos.kerb.crypto.enc.AbstractEncTypeHandler.decrypt(AbstractEncTypeHandler.java:160)
    at org.apache.kerby.kerberos.kerb.crypto.enc.AbstractEncTypeHandler.decrypt(AbstractEncTypeHandler.java:148)
    at org.apache.kerby.kerberos.kerb.crypto.EncryptionHandler.decrypt(EncryptionHandler.java:165)
    at org.apache.kerby.kerberos.kerb.common.EncryptionUtil.unseal(EncryptionUtil.java:132)
    at org.apache.kerby.kerberos.kerb.server.request.TgsRequest.verifyAuthenticator(TgsRequest.java:89)
Are we sure that the tgsKey above is the right key to decrpyt the request?
Colm.

On Wed, Apr 22, 2015 at 2:27 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
Colm,

Would you check out the fix below and verify it? Thanks!

commit 41df0299ef254d877b6f570c1b71eb35c75e9fc5
Author: Drankye <drankye@gmail.com<mailto:drankye@gmail.com>>
Date:   Wed Apr 22 21:25:21 2015 +0800

    Fixed the issue that cname field in KdcReqBody should not be used in TgsReq

Regards,
Kai

From: Zheng, Kai [mailto:kai.zheng@intel.com<mailto:kai.zheng@intel.com>]
Sent: Wednesday, April 22, 2015 8:36 PM
To: Apache Directory Developers List; coheigea@apache.org<mailto:coheigea@apache.org>

Subject: RE: Kerby GSS tests?

I just checked the codes in MIT Kerberos. It was clear we should use the value of TgsReq->pa->ApReq->ticket->encpart->cname.
The cname field in KdcReq is only used in AsReq, not used in TgsReq.
I will have a fix for this shortly.

Regards,
Kai

From: Zheng, Kai [mailto:kai.zheng@intel.com]
Sent: Wednesday, April 22, 2015 7:37 PM
To: coheigea@apache.org<mailto:coheigea@apache.org>
Cc: Apache Directory Developers List
Subject: RE: Kerby GSS tests?

Hi Colm,

Thanks for your good progress and analysis. I’m not sure how KDC would handle in such case,
but a possibility is to use the client principal name in the TGT ticket, would you inspect
the fields of the passed TGT and use the client field in it, when it’s null in the KdcReq?
I will check and make sure which way we should go later. Thanks.

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org]
Sent: Wednesday, April 22, 2015 6:17 PM
To: Zheng, Kai
Cc: Apache Directory Developers List
Subject: Re: Kerby GSS tests?


Ok with the current code I've made some progress - I can now successfully get a TGT from Kerby.
However, I'm running into a puzzling issue when trying to get a service key. Essentially,
the clientPrincipal in KdcRequest.checkClient() is an empty String (and has a "null" NameType).
This means that it just tries to retrieve the client Principal using @realm, and this fails.
On the first TGT pass, the client + server principals in checkClient look like:

Client PRINC: alice@service.ws.apache.org<mailto:alice@service.ws.apache.org>
Client PRINC type: NT_PRINCIPAL
Server PRINC: krbtgt/service.ws.apache.org@service.ws.apache.org<mailto:service.ws.apache.org@service.ws.apache.org>
Server PRINC type: NT_SRV_INST
On the second call:

Client PRINC: @service.ws.apache.org<http://service.ws.apache.org>
Client PRINC type: NT_UNKNOWN
Server PRINC: bob/service.ws.apache.org@service.ws.apache.org<mailto:service.ws.apache.org@service.ws.apache.org>
Server PRINC type: NT_UNKNOWN
The SName looks find. But the CName is missing. I know this code works fine with the KDC in
Apache Directory, so we must be doing something odd with the parsing in Kerby.
Colm.

On Tue, Apr 21, 2015 at 2:07 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
Hi Colm,

I thought it’s good to have the following fix for now, as it processes the enctypes list
from client from first to end. I just fired a follow-on issue to double check this.
https://issues.apache.org/jira/browse/DIRKRB-236

+        for (EncryptionType encType : request.getReqBody().getEtypes()) {
+            if (clientEntry.getKeys().containsKey(encType)) {
+                EncryptionKey clientKey = clientEntry.getKeys().get(encType);
+                setClientKey(clientKey);
+                break;
+            }
+        }

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
Sent: Tuesday, April 21, 2015 8:53 PM

To: Apache Directory Developers List
Subject: Re: Kerby GSS tests?

Hi Kiran,

> The enctypes should always be sorted from the most to least strong/preferred on the server
side
Is there any existing code in Apache Directory along these lines?
Colm.

On Tue, Apr 21, 2015 at 12:52 PM, Kiran Ayyagari <kayyagari@apache.org<mailto:kayyagari@apache.org>>
wrote:


On Tue, Apr 21, 2015 at 7:47 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
Hi Colm,

Yes it’s a great fix! May be we could also update our related kdc test to repeat the issue
and guard the fix? In our existing tests, the enctypes used in KrbClient are the same with
the ones in KdcServer side, so we don’t find the issue until now. Yes, client may very likely
request different enctypes that the KdcServer doesn’t support/enable yet.

yes, clients can send different enctypes depending the platform they are running on.

The enctypes should always be sorted from the most to least strong/preferred on the server
side
and then pick the best from the ones requested by the client.
Thanks again.

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
Sent: Tuesday, April 21, 2015 7:33 PM

To: Apache Directory Developers List
Subject: Re: Kerby GSS tests?

Hi Kai,
I've found another bug. We are just picking the first desired encryption type in KdcRequest.checkClient().
However, we may not actually have this key. This leads to an NPE. Example:
We are requesting:

aes256-cts-hmac-sha1-96 18
aes128-cts-hmac-sha1-96 17
des3-cbc-sha1 16
arcfour-hmac 23
des-cbc-crc 1
des-cbc-md5 3

We pick the first one...however we only have the following keys stored:

des3-cbc-sha1 16
aes128-cts-hmac-sha1-96 17
What do you think of this patch?

diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb
index 2165e17..e6bcef0 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server
@@ -239,9 +239,13 @@ public abstract class KdcRequest {
         KrbIdentity clientEntry = getEntry(clientPrincipal.getName());
         setClientEntry(clientEntry);

-        EncryptionType encType = request.getReqBody().getEtypes().listIterator(
-        EncryptionKey clientKey = clientEntry.getKeys().get(encType);
-        setClientKey(clientKey);
+        for (EncryptionType encType : request.getReqBody().getEtypes()) {
+            if (clientEntry.getKeys().containsKey(encType)) {
+                EncryptionKey clientKey = clientEntry.getKeys().get(encType);
+                setClientKey(clientKey);
+                break;
+            }
+        }
     }

     protected void preauth() throws KrbException {
Colm.


On Tue, Apr 21, 2015 at 12:18 PM, Colm O hEigeartaigh <coheigea@apache.org<mailto:coheigea@apache.org>>
wrote:

Yep I will do!
Colm.

On Tue, Apr 21, 2015 at 12:16 PM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
Yes, it looks like a good fix, 0 is there instead of null, for time fields in kdc request.
Would you double check other time values by the way? Thanks!

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
Sent: Tuesday, April 21, 2015 7:11 PM

To: Apache Directory Developers List
Subject: Re: Kerby GSS tests?


The problem above is that the "end time" is 0 instead of "null". What do you think of this
patch?

diff --git a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb
index 3d49af3..23275fc 100644
--- a/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server
+++ b/kerby-kerb/kerb-server/src/main/java/org/apache/kerby/kerberos/kerb/server
@@ -370,7 +370,7 @@ public abstract class KdcRequest {
         }

         KerberosTime krbEndTime = request.getReqBody().getTill();
-        if (krbEndTime == null) {
+        if (krbEndTime == null || krbEndTime.getTime() == 0) {
             krbEndTime = krbStartTime.extend(config.getMaximumTicketLifetime()
         } else if (krbStartTime.greaterThan(krbEndTime)) {
             throw new KrbException(KrbErrorCode.KDC_ERR_NEVER_VALID);
Colm.

On Tue, Apr 21, 2015 at 12:00 PM, Colm O hEigeartaigh <coheigea@apache.org<mailto:coheigea@apache.org>>
wrote:
Hi Kai,

2.     Please disable preauth in KDC side or require preauth in client side. Looks like client
didn’t send preauth data but KDC required it.

Ok I got a bit further by doing this. However, from what I can find out, the GSS client code
should be sending the Pre authentication data (and there appears to be no option to disable
it). So I think there may be a bug in how Kerby is processing the header? Should we log a
JIRA to track this?
The error I now get (when disabling pre auth in Kerby) is:

org.apache.kerby.kerberos.kerb.KrbException: Requested start time is later than end time
    at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.issueTicket(KdcRequest.java:376)
    at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:96)
    at org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:77)
    at org.apache.kerby.kerberos.kdc.impl.NettyKdcHandler.channelRead(NettyKdcHandler.java:51)
Any ideas? The Kerby server + CXF client are both on the same machine...
Colm.


If you don’t want to trouble with the config stuff, please just change the default value
of PREAUTH_REQUIRED in krb/kdc config key enumeration.

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
Sent: Tuesday, April 21, 2015 6:34 PM
To: Apache Directory Developers List
Subject: Re: Kerby GSS tests?

Actually I spoke too soon, I do know how to reproduce the "pre-authentication" error. Simply
uncomment the line "kerbyServer.setInnerKdcImpl(new NettyKdcServerImpl());" in the test. If
I put a printStackTrace in the NettyKdcServerImpl, I see:

Error occured while processing request:Generic error (description in e-text)
SocketTimeOutException with attempt: 2
>>> KDCCommunication: kdc=127.0.0.1 TCP:9002, timeout=30000,Attempt =3, #bytes=169
Apr 21, 2015 11:33:05 AM io.netty.util.internal.logging.Slf4JLogger info
INFO: [id: 0xea7673e9, /0:0:0:0:0:0:0:0:9002] RECEIVED: [id: 0xbfe95a70, /127.0.0.1:43973<http://127.0.0.1:43973>
=> /127.0.0.1:9002<http://127.0.0.1:9002>]
org.apache.kerby.kerberos.kerb.KrbErrorException: Generic error (description in e-text)
    at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.preauth(KdcRequest.java:255)
    at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:94)
    at org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:77)
Colm.

On Tue, Apr 21, 2015 at 11:29 AM, Colm O hEigeartaigh <coheigea@apache.org<mailto:coheigea@apache.org>>
wrote:
Hi Kai,
Thanks for your response. I have a test-case of sorts that shows the interop failure (although
I can't reproduce the issue I reported yesterday about the preauthentication data).

https://github.com/coheigea/testcases/tree/master/apache/cxf/cxf-kerberos-kerby
Run it with "mvn clean install". You may need the install the parent module as well before
running this, which is one level up.
The test sets up a Kerby server, and I have a @Ignore'd test using Kerby client API to successfully
communicate with it. Then I have a Apache CXF-based test which uses the Kerberos functionality
here (based on GSS) to get a service ticket. If I put printStackTrace in the DefaultKdcHandler
the output looks like:

Loaded from Java config
>>> KdcAccessibility: reset
>>> KdcAccessibility: reset
Using builtin default etypes for default_tkt_enctypes
default etypes for default_tkt_enctypes: 18 17 16 23 1 3.
>>> KrbAsReq creating message
>>> KrbKdcReq send: kdc=127.0.0.1 TCP:9002, timeout=30000, number of retries =3,
#bytes=169
>>> KDCCommunication: kdc=127.0.0.1 TCP:9002, timeout=30000,Attempt =1, #bytes=169
java.net.SocketTimeoutException: Read timed out
    at java.net.SocketInputStream.socketRead0(Native Method)
    at java.net.SocketInputStream.read(SocketInputStream.java:152)
    at java.net.SocketInputStream.read(SocketInputStream.java:122)
    at java.net.SocketInputStream.read(SocketInputStream.java:210)
    at java.io.DataInputStream.readInt(DataInputStream.java:387)
    at org.apache.kerby.kerberos.kerb.transport.KrbTcpTransport.receiveMessage(KrbTcpTransport.java:54)
    at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:46)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at java.lang.Thread.run(Thread.java:745)
>>>DEBUG: TCPClient could not read length field
>>> KrbKdcReq send: #bytes read=0
Any ideas?
Colm.

On Tue, Apr 21, 2015 at 12:09 AM, Zheng, Kai <kai.zheng@intel.com<mailto:kai.zheng@intel.com>>
wrote:
Hi Colm,

We haven’t any test for GSS client against Kerby yet, though we do have tests in protocol
level for ApReq (in kerb-core-test module). We might look at existing ApacheDS Kerberos codes
to see if any such end to end tests to port.

You’re right, current UDP support for KdcNetwork and NettyKdcNetwork are to be done yet.
I originally got them done some days ago, but recently I was extremely busy with other projects,
so kinds of delayed. Sure JIRAs would be good to record them.

For the issue you ran into, do you have test codes to repeat it, so we may have the chance
to look at it? Thanks.

Regards,
Kai

From: Colm O hEigeartaigh [mailto:coheigea@apache.org<mailto:coheigea@apache.org>]
Sent: Monday, April 20, 2015 10:40 PM
To: Apache Directory Developers List
Subject: Kerby GSS tests?

Hi all,

Are there any tests in the source (or has anyone successfully tested) a Java GSS client ->
Apache Kerby?
The first issue I ran into was that neither the KdcNetwork nor the NettyKdcNetwork work with
UDP. Is there a JIRA for this (or any plans to fix it)?
I could work around the above by setting "udp_preference_limit = 1". However, I then run into
an issue where it fails due to no pre-authentication data in the request. Are we sure that
this parsing is working correctly?
Colm.


--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Kiran Ayyagari
http://keydap.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com



--
Colm O hEigeartaigh

Talend Community Coder
http://coders.talend.com
Mime
View raw message