Ubuntu
heimdal package

libgssapi2-heimdal init_auth() discards configured enctypes

Bug #849349 reported by Ray Link
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
heimdal (Ubuntu)
Opinion
Low
Unassigned

Bug Description

Heimdal's libgssapi init_auth() makes a call to krb5_set_default_in_tkt_etypes() to support certain NFS clients. However, this call is always made, and thus can also be made when the second argument passed can be NULL. The behaviour of krb5_set_default_in_tkt_etypes() in such an invocation is to reset the GSS-API context to requesting keys with any enctype supported by the client libraries.

The unfortunate side effect of this is that the list of desired enctypes requested by clients now no longer matches the list of approved enctypes specified in the system krb5.conf, and as such *all* GSS-API initiators effectively ignore the admin-configured list of desired enctypes.

The proper fix is to call krb5_set_default_in_tkt_etypes() if and only if the second argument is not NULL, as per the attached patch.

The patch has already been submitted upstream against 1.5, but also applies cleanly to all versions of Heimdal from at least Lucid (1.2.e1.dfsg.1-1ubuntu1) onwards.

Tags: patch
Revision history for this message
Ray Link (rlink) wrote :
Revision history for this message
Ray Link (rlink) wrote :

A reply from the upstream developer to my upstream patch submission has revealed that fixing this bug exposes another edge-case bug elsewhere.

A decision on what to do upstream is pending.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "Patch to lib/gssapi/krb5/init_sec_context.c" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Jelmer Vernooij (jelmer) wrote :

Can you perhaps provide some more context on the discussion with upstream? I haven't seen anything on the mailing list.

Revision history for this message
Ray Link (rlink) wrote :

The discussion was via private email.

In short, the existing code's call to krb5_set_default_in_tkt_etypes() with a second argument that may be NULL is a sneaky way of avoiding the situation where using a restricted credential will restrict all credentials in the current thread. It fixes one bit of undesirable behaviour in a way that causes different undesirable behaviour.

Upstream believes that the current behaviour (not over-restricting credentials in a thread) is more desirable than not throwing away the list of configured enctypes, but agrees that both problems need to be solved the right way, simultaneously. So we're kind of stuck until one of us gets around to creating a better patch.

James Page (james-page)
Changed in heimdal (Ubuntu):
status: New → Opinion
importance: Undecided → Low
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.