Bug 1118653 - ksu fails authentication if TGT lifetime is less than 5 mins.
Summary: ksu fails authentication if TGT lifetime is less than 5 mins.
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: krb5
Version: 6.7
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Robbie Harwood
QA Contact: Patrik Kis
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-11 08:38 UTC by Kaushik Banerjee
Modified: 2015-10-07 17:22 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-10-07 17:22:07 UTC


Attachments (Terms of Use)
ksu core file (330.79 KB, application/x-gzip)
2015-03-09 17:26 UTC, Patrik Kis
no flags Details

Description Kaushik Banerjee 2014-07-11 08:38:53 UTC
Description of problem:
ksu fails authentication if TGT lifetime is less than 5 mins

Version-Release number of selected component (if applicable):
krb5-workstation-1.10.3-25.el6 on RHEL6.6

How reproducible:
Always

Steps to Reproduce:
1. Setup krb5.conf to point kdc to the krb5 server(on rhel6.5)
2. Generate keytab with host/CLIENT principal and copy over to client.
3. Setup k5login as follows:
# cat /home/testuser3/.k5login
testuser4@EXAMPLE.COM
testuser3@EXAMPLE.COM 
4. Login as testuser4
$ klist
Ticket cache: FILE:/tmp/krb5cc_2004_vCUn98
Default principal: testuser4@EXAMPLE.COM

Valid starting     Expires            Service principal
06/26/14 21:59:33  06/26/14 22:04:33  krbtgt/EXAMPLE.COM@EXAMPLE.COM
     renew until 06/26/14 21:59:33 

Note the TGT lifetime of 5 mins ^^

5. ksu to testuser3
$ ksu testuser3
ksu: Matching credential not found while verifying ticket for server
Authentication failed. 


Actual results:
ksu fails authentication

Expected results:
ksu authentication works

Additional info:

Comment 2 Kaushik Banerjee 2014-07-11 08:42:33 UTC
Reply from Nalin on the issue discussed on e-mail:

When obtaining credentials to use to verify a TGT, libkrb5 always tries
to obtain credentials with a liftime of 5 minutes.  If the remaining
lifetime of the TGT is less than that, the issued ticket will have a
shorter lifetime, and libkrb5's subsequent attempt to retrieve the
newly-issued ticket from its temporary cache, which is specified as a
search for a ticket with a lifetime of at least 5 minutes, will fail,
the TGT verification will fail, and ksu will fail the authentication.

Contrast
  ssh -t testuser4@localhost ksu testuser3
with
  ssh -t testuser4@localhost 'sleep 1; ksu testuser3'

You'll need to be pretty quick in the current configuration, the first
case will work.

When the ticket is already present in the cache, ksu's "fast" path
retrieves the credential directly, and it'll use any non-expired ticket
for a service for which the keytab contains keys.

To avoid this problem, try increasing the maximum lifetime of TGTs for
your realm.  It's kind of an unusual case, but I'm trying a tweak
that'll make it work that I'll want to run past upstream before doing
anything else

Comment 3 Nalin Dahyabhai 2014-08-26 20:59:10 UTC
This should be upstream ticket #7996.

Comment 4 Roland Mainz 2015-03-04 13:17:29 UTC
Builds available (see http://brewweb.devel.redhat.com/brew/taskinfo?taskID=8807484), switching state to MODIFIED.

Comment 6 Patrik Kis 2015-03-09 17:24:57 UTC
This fix caused regression; bug report ressigned back.

Reproducer:

# rpm -q krb5-libs
krb5-libs-1.10.3-36.el6.x86_64
# ulimit -c
unlimited
# cat /proc/sys/fs/suid_dumpable 
2
# cat /root/.k5users 
bob@ZMRAZ.COM *
#
# su - alice
$ kinit alice
Password for alice@ZMRAZ.COM: 
$ ksu root -n bob@ZMRAZ.COM -e /usr/bin/whoami
WARNING: Your password may be exposed if you enter it here and are logged 
         in remotely using an unsecure (non-encrypted) channel. 
Kerberos password for bob@ZMRAZ.COM: : 
Segmentation fault (core dumped)
$ # Note: bob's kerberos password was entered
$ exit
logout
#
#
# gdb /usr/bin/ksu /home/alice/core.18550 
GNU gdb (GDB) Red Hat Enterprise Linux (7.2-75.el6)
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/bin/ksu...Reading symbols from /usr/lib/debug/usr/bin/ksu.debug...done.
done.
[New Thread 18550]
Missing separate debuginfo for 
Try: yum --enablerepo='*-debug*' install /usr/lib/debug/.build-id/08/e42c6c3d2cd1e5d68a43b717c9eb3d310f2df0
Reading symbols from /lib64/libkrb5.so.3.3...Reading symbols from /usr/lib/debug/lib64/libkrb5.so.3.3.debug...done.
done.
Loaded symbols for /lib64/libkrb5.so.3.3
Reading symbols from /lib64/libk5crypto.so.3.1...Reading symbols from /usr/lib/debug/lib64/libk5crypto.so.3.1.debug...done.
done.
Loaded symbols for /lib64/libk5crypto.so.3.1
Reading symbols from /lib64/libcom_err.so.2.1...Reading symbols from /usr/lib/debug/lib64/libcom_err.so.2.1.debug...done.
done.
Loaded symbols for /lib64/libcom_err.so.2.1
Reading symbols from /lib64/libkrb5support.so.0.1...Reading symbols from /usr/lib/debug/lib64/libkrb5support.so.0.1.debug...done.
done.
Loaded symbols for /lib64/libkrb5support.so.0.1
Reading symbols from /lib64/libkeyutils.so.1.3...Reading symbols from /usr/lib/debug/lib64/libkeyutils.so.1.3.debug...done.
done.
Loaded symbols for /lib64/libkeyutils.so.1.3
Reading symbols from /lib64/libresolv-2.12.so...Reading symbols from /usr/lib/debug/lib64/libresolv-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libresolv-2.12.so
Reading symbols from /lib64/libselinux.so.1...Reading symbols from /usr/lib/debug/lib64/libselinux.so.1.debug...done.
done.
Loaded symbols for /lib64/libselinux.so.1
Reading symbols from /lib64/libdl-2.12.so...Reading symbols from /usr/lib/debug/lib64/libdl-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libdl-2.12.so
Reading symbols from /lib64/libpam.so.0.82.2...Reading symbols from /usr/lib/debug/lib64/libpam.so.0.82.2.debug...done.
done.
Loaded symbols for /lib64/libpam.so.0.82.2
Reading symbols from /lib64/libc-2.12.so...Reading symbols from /usr/lib/debug/lib64/libc-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libc-2.12.so
Reading symbols from /lib64/libpthread-2.12.so...Reading symbols from /usr/lib/debug/lib64/libpthread-2.12.so.debug...done.
[Thread debugging using libthread_db enabled]
done.
Loaded symbols for /lib64/libpthread-2.12.so
Reading symbols from /lib64/ld-2.12.so...Reading symbols from /usr/lib/debug/lib64/ld-2.12.so.debug...done.
done.
Loaded symbols for /lib64/ld-2.12.so
Reading symbols from /lib64/libaudit.so.1.0.0...Reading symbols from /usr/lib/debug/lib64/libaudit.so.1.0.0.debug...done.
done.
Loaded symbols for /lib64/libaudit.so.1.0.0
Reading symbols from /lib64/libcrypt-2.12.so...Reading symbols from /usr/lib/debug/lib64/libcrypt-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libcrypt-2.12.so
Reading symbols from /lib64/libfreebl3.so...Reading symbols from /usr/lib/debug/lib64/libfreebl3.so.debug...done.
done.
Loaded symbols for /lib64/libfreebl3.so
Reading symbols from /lib64/libnss_files-2.12.so...Reading symbols from /usr/lib/debug/lib64/libnss_files-2.12.so.debug...done.
done.
Loaded symbols for /lib64/libnss_files-2.12.so
Core was generated by `ksu root -n bob@ZMRAZ.COM -e /usr/bin/whoami'.
Program terminated with signal 11, Segmentation fault.
#0  krb5_copy_principal (context=0x7f9d7cc951f0, inprinc=0x0, outprinc=0x7f9d7ce56970) at copy_princ.c:43
43	    *tempprinc = *inprinc;
(gdb) bt
#0  krb5_copy_principal (context=0x7f9d7cc951f0, inprinc=0x0, outprinc=0x7f9d7ce56970) at copy_princ.c:43
#1  0x00007f9d7a723f36 in krb5_mcc_initialize (context=0x7f9d7cc951f0, id=<value optimized out>, princ=0x0)
    at cc_memory.c:158
#2  0x00007f9d7a75808d in krb5_verify_init_creds (context=0x7f9d7cc951f0, creds=0x7fff5922def0, 
    server_arg=<value optimized out>, keytab_arg=0x0, ccache_arg=0x0, options=0x7fff5922df70)
    at vfy_increds.c:167
#3  0x00007f9d7abea7c5 in krb5_auth_check (context=0x7f9d7cc951f0, client_pname=<value optimized out>, 
    hostname=<value optimized out>, options=0x7fff5922e060, target_user=<value optimized out>, 
    cc=0x7f9d7cc98400, path_passwd=0x7fff5922e0c0, target_uid=0) at krb_auth_su.c:137
#4  0x00007f9d7abee5c3 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:543
(gdb) bt f
#0  krb5_copy_principal (context=0x7f9d7cc951f0, inprinc=0x0, outprinc=0x7f9d7ce56970) at copy_princ.c:43
        tempprinc = 0x7f9d7cc9d6b0
        i = <value optimized out>
        nelems = <value optimized out>
#1  0x00007f9d7a723f36 in krb5_mcc_initialize (context=0x7f9d7cc951f0, id=<value optimized out>, princ=0x0)
    at cc_memory.c:158
        ret = 0
        d = 0x7f9d7ce56930
#2  0x00007f9d7a75808d in krb5_verify_init_creds (context=0x7f9d7cc951f0, creds=0x7fff5922def0, 
    server_arg=<value optimized out>, keytab_arg=0x0, ccache_arg=0x0, options=0x7fff5922df70)
    at vfy_increds.c:167
        ret = 0
        server = 0x7f9d7cc9e210
        keytab = 0x7f9d7cc9e8a0
        ccache = 0x7f9d7cc9e7e0
        kte = {magic = -1760647389, principal = 0x7f9d7cc9e0c0, timestamp = 1425920816, vno = 2, key = {
            magic = -1760647421, enctype = 18, length = 32, contents = 0x7f9d7cc9df70 "\260\340\311|\235\177"}}
        in_creds = {magic = 0, client = 0x0, server = 0x0, keyblock = {magic = 0, enctype = 0, length = 0, 
            contents = 0x0}, times = {authtime = 0, starttime = 0, endtime = 0, renew_till = 0}, is_skey = 0, 
          ticket_flags = 0, addresses = 0x0, ticket = {magic = 0, length = 0, data = 0x0}, second_ticket = {
            magic = 0, length = 0, data = 0x0}, authdata = 0x0}
        out_creds = 0x0
        authcon = 0x0
        ap_req = {magic = 0, length = 0, data = 0x0}
#3  0x00007f9d7abea7c5 in krb5_auth_check (context=0x7f9d7cc951f0, client_pname=<value optimized out>, 
    hostname=<value optimized out>, options=0x7fff5922e060, target_user=<value optimized out>, 
    cc=0x7f9d7cc98400, path_passwd=0x7fff5922e0c0, target_uid=0) at krb_auth_su.c:137
        client = 0x7f9d7cc98930
        vfy_opts = {flags = 1, ap_req_nofail = 1}
        tgt = {magic = 0, client = 0x0, server = 0x0, keyblock = {magic = 0, enctype = 0, length = 0, 
            contents = 0x0}, times = {authtime = 0, starttime = 0, endtime = 0, renew_till = 0}, is_skey = 0, 
          ticket_flags = 0, addresses = 0x0, ticket = {magic = 0, length = 0, data = 0x0}, second_ticket = {
            magic = 0, length = 0, data = 0x0}, authdata = 0x0}
        tgtq = {magic = 0, client = 0x7f9d7cc98870, server = 0x7f9d7cc987e0, keyblock = {magic = 0, 
            enctype = 0, length = 0, contents = 0x0}, times = {authtime = 0, starttime = 0, endtime = 0, 
            renew_till = 0}, is_skey = 0, ticket_flags = 0, addresses = 0x0, ticket = {magic = 0, length = 0, 
            data = 0x0}, second_ticket = {magic = 0, length = 0, data = 0x0}, authdata = 0x0}
        retval = <value optimized out>
        zero_password = 0
#4  0x00007f9d7abee5c3 in main (argc=<value optimized out>, argv=<value optimized out>) at main.c:543
        client_name = <value optimized out>
        hp = 0
        some_rest_copy = <value optimized out>
        all_rest_copy = <value optimized out>
        options = {opt = 0, lifetime = 43200, rlife = 0, princ = 1}
        option = <value optimized out>
        statusp = 0
---Type <return> to continue, or q <return> to quit---
        retval = <value optimized out>
        client = 0x7f9d7cc958f0
        cc_target = 0x7f9d7cc98400
        ksu_context = 0x7f9d7cc951f0
        cc_target_tag = 0x7f9d7cc95cd0 "FILE:/tmp/krb5cc_0.24"
        target_user = 0x7f9d7cc95160 "root"
        source_user = 0x7f9d7cc95c30 "alice"
        cc_source = 0x7f9d7cc95cb0
        cc_source_tag = 0x7f9d7cc95c50 "FILE:/tmp/krb5cc_500"
        cc_source_tag_tmp = <value optimized out>
        cc_target_tag_tmp = 0x7f9d7cc95cd5 "/tmp/krb5cc_0.24"
        cmd = <value optimized out>
        exec_cmd = 0x0
        errflg = <value optimized out>
        auth_val = <value optimized out>
        authorization_val = 0
        path_passwd = 1
        done = <value optimized out>
        i = <value optimized out>
        j = <value optimized out>
        ruid = 2093571285
        pwd = <value optimized out>
        target_pwd = <value optimized out>
        shell = <value optimized out>
        params = 0x7f9d7cc959a0
        child_pid = <value optimized out>
        child_pgrp = <value optimized out>
        ret_pid = <value optimized out>
        pargc = <value optimized out>
        pargv = <value optimized out>
        st_temp = {st_dev = 64768, st_ino = 396785, st_nlink = 1, st_mode = 33152, st_uid = 0, st_gid = 500, 
          __pad0 = 0, st_rdev = 0, st_size = 1006, st_blksize = 4096, st_blocks = 8, st_atim = {
            tv_sec = 1425921154, tv_nsec = 833000027}, st_mtim = {tv_sec = 1425921154, tv_nsec = 833000027}, 
          st_ctim = {tv_sec = 1425921154, tv_nsec = 833000027}, __unused = {0, 0, 0}}
        stored = 0
        kdc_server = 0xfffffffff97cff8c
        zero_password = 0
        dir_of_cc_target = <value optimized out>
(gdb) q

Comment 7 Patrik Kis 2015-03-09 17:26:33 UTC
Created attachment 999641 [details]
ksu core file


Note You need to log in before you can comment on or make changes to this bug.