[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with kpasswdd handling multiple realms...

> > Howdy.  I'm in a situation where I have multiple realms on the same
> > KDC, which is working flawlessly... except for changing passwords.
> Ok, I see why you have a problem.

Thank you for turning out a patch, it is working very well for me.  I
haven't pushed this out 100% yet, but don't foresee any problems.

> If you add multiple [libdefaults]default_realm stanzas the patch
> below should do what you want.

FWIW (more for the archives than anything else), it works without
adding any default_realms because I'm using DNS for nearly all
kerberos configuration bits.

> I've not tested the patch (except compiling), I feel I need to
> digest it for a day for two more before commit it.

Works like a charm!

I'm running into a few "interesting" behaviors, however.  Assume I've
done the following four steps:

1) I login and obtain a ticket for user@ISP.COM

2) I ssh to another realm via krbtgt/EXAMPLE.COM@ISP.COM and I forward
   my ticket.

3) I'm now logged into a machine host/ssh.example.com@EXAMPLE.COM.

4) klist(1) correctly shows my principal as user@ISP.COM

Now, the things I've noticed (not necessarily all password based):

*) I don't think this is a bad thing, but, when I login as
   user@ISP.COM onto ssh.example.com, I can not change my password
   even though I pre-auth correctly and the machine I log into is
   managed by the same KDC (ie, the kdc has the keytab for this
   machine).  While I'm not inclined to think this is a bad thing, I
   don't think it's correct.

	==> kdc <==
	2005-04-18T11:32:48 AS-REQ user@ISP.COM from IPv4:a.b.c.d for kadmin/changepw@ISP.COM
	2005-04-18T11:32:48 No PA-ENC-TIMESTAMP -- user@ISP.COM
	2005-04-18T11:32:48 sending 215 bytes to IPv4:a.b.c.d
	2005-04-18T11:32:48 AS-REQ user@ISP.COM from IPv4:a.b.c.d for kadmin/changepw@ISP.COM
	2005-04-18T11:32:48 Looking for pa-data -- user@ISP.COM
	2005-04-18T11:32:48 Pre-authentication succeded -- user@ISP.COM
	2005-04-18T11:32:48 Using des3-cbc-sha1/des3-cbc-sha1
	2005-04-18T11:32:48 sending 631 bytes to IPv4:a.b.c.d

	==> kpasswdd <==
	2005-04-18T11:32:50 client used not valid principal kadmin/changepw@ISP.COM

*) "succeded" should be spelled as "succeeded."  *grin*

*) When I change my password, I'm noticing that the kdc tosses a
   message about there being no timestamp on the ticket
   request.... that doesn't seem right to me either.  Am I being hyper
   sensitive here or shouldn't the client timestamp its request to
   prevent reuse of stolen tickets?  I haven't looked into this in any
   detail, but it caught my attention and I haven't had a chance to
   dig into it yet.

	==> kdc/log/main/current <==
	2005-04-18T10:52:41 AS-REQ user@EXAMPLE.COM from IPv4:a.b.c.d for kadmin/changepw@EXAMPLE.COM
	2005-04-18T10:52:41 No PA-ENC-TIMESTAMP -- user@EXAMPLE.COM
	2005-04-18T10:52:41 sending 227 bytes to IPv4:a.b.c.d
	2005-04-18T10:52:41 AS-REQ user@EXAMPLE.COM from IPv4:a.b.c.d for kadmin/changepw@EXAMPLE.COM
	2005-04-18T10:52:41 Looking for pa-data -- user@EXAMPLE.COM
	2005-04-18T10:52:41 Pre-authentication succeded -- user@EXAMPLE.COM
	2005-04-18T10:52:41 Using des3-cbc-sha1/des3-cbc-sha1
	2005-04-18T10:52:41 sending 653 bytes to IPv4:a.b.c.d

	==> kpasswdd/log/main/current <==
	2005-04-18T10:52:44 Changing password for user@EXAMPLE.COM

*) If I add user/root@ISP.COM to .k5login on
   host/ssh.example.com@EXAMPLE.COM, I'd expect to be able to use
   user/root@ISP.COM to ksu(1) to root.  This is not the case.
   Instead, it asks for user/root@EXAMPLE.COM.  Is there any chance
   ksu(1) could look at the principal's realm instead of using the
   host's realm?  I'd ideally like to have my administrators who tend
   to client boxes to only have two - at most three - principals
   (user@, user/root@, user/admin@), instead of 3 + (1 * number of
   client realms - the root instance).

*) Lastly, imagine a box with two IP addresses:	   - www.example.com	   - ssh.example.com

   This particular client started off with ssh listening on
   www.example.com, but changed the firewall rules so that they can
   only log in via the aliased address .11.  This posses a problem
   only in so far as when the kerberos libraries try to authenticate a
   login request, it uses .10 as the address that it makes the request
   from, even though the client is authenticating using the principal
   from .11 (ie, the client obtains a ticket for ssh.example.com, then
   the machine relays the login request via www.example.com - which
   doesn't work).

   Is there any way to have the authentication request done by the
   libraries bind to a particular IP address?  Either in the form of a
   configuration directive, or by doing a DNS lookup and binding to
   the address of service that the user is trying to authenticate to?

Thanks in advance.  -sc

Sean Chittenden

PGP signature