Password Changing failing from Windows to MIT KDC

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Password Changing failing from Windows to MIT KDC

Mike Friedman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I posted on this a few days ago but haven't received any replies, so I
figure it may have fallen through the cracks.

It seems that with the current release of KfW, password changing fails to
either a 1.3.4 or 1.4.2 KDC.  Yet, earlier versions of KfW don't have this
problem.  Similarly with Windows native Kerberos password changing.  I
haven't done testing of the latter myself, but a colleague who works on
Windows has.

The message he receives is this:

    Server error: Failed decrypting request

The KDC logs show a successful issuing of the kadmin/changepw service
credential, but no further action indicating a change password
transaction.

I suspected a client host firewall problem (re: UDP 464), but the problem
continues even with no firewall rules in place.

Has something changed with the new versions of KfW?

Thanks.

Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
[hidden email]          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQwpeNa0bf1iNr4mCEQJMfACguSLN/kmNmUtxMo5ycWBKe6kUtCoAn3ns
ExreoCkJTbrHJ/AYjkQSQ18u
=9jE3
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Password Changing failing from Windows to MIT KDC

Jeffrey Altman-3
Mike:

I can verify that there is a problem although I cannot determine
at the moment what the source of it is.   What is the most recent
version of KFW that you are aware works?

Please send a bug report to [hidden email].

Jeffrey Altman

Mike Friedman wrote:

> I posted on this a few days ago but haven't received any replies, so I
> figure it may have fallen through the cracks.
>
> It seems that with the current release of KfW, password changing fails
> to either a 1.3.4 or 1.4.2 KDC.  Yet, earlier versions of KfW don't have
> this problem.  Similarly with Windows native Kerberos password
> changing.  I haven't done testing of the latter myself, but a colleague
> who works on Windows has.
>
> The message he receives is this:
>
>    Server error: Failed decrypting request
>
> The KDC logs show a successful issuing of the kadmin/changepw service
> credential, but no further action indicating a change password transaction.
>
> I suspected a client host firewall problem (re: UDP 464), but the
> problem continues even with no firewall rules in place.
>
> Has something changed with the new versions of KfW?
>
> Thanks.
>
> Mike
>
> _____________________________________________________________________
> Mike Friedman                   System and Network Security
> [hidden email]          2484 Shattuck Avenue
> 1-510-642-1410                  University of California at Berkeley
> http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
> _____________________________________________________________________
>
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos

--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Password Changing failing from Windows to MIT KDC

Mike Friedman
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Tue, 23 Aug 2005 at 02:45 (-0000), Jeffrey Altman wrote:

> I can verify that there is a problem although I cannot determine at the
> moment what the source of it is.  What is the most recent version of KFW
> that you are aware works?

Jeffrey,

Further investigation by my Windows colleagues appears to reveal that
password changing fails only when issued from a NAT'ed private IP address.
This is true both for KfW and for native Windows Kerberos password
changing.

But this problem has apparently existed for some time with admin functions
in general (e.g., kadmin) and not only from Windows systems.

So, as it stands, we have no evidence of a new problem either with recent
KfW releases or with a current version of the KDC.

Is the problem that you say you can verify perhaps also related to NAT'ed
private IP addresses?

Mike

=========================================================================

> Mike Friedman wrote:
>
>> I posted on this a few days ago but haven't received any replies, so I
>> figure it may have fallen through the cracks.
>>
>> It seems that with the current release of KfW, password changing fails
>> to either a 1.3.4 or 1.4.2 KDC.  Yet, earlier versions of KfW don't
>> have this problem.  Similarly with Windows native Kerberos password
>> changing.  I haven't done testing of the latter myself, but a colleague
>> who works on Windows has.
>>
>> The message he receives is this:
>>
>>    Server error: Failed decrypting request
>>
>> The KDC logs show a successful issuing of the kadmin/changepw service
>> credential, but no further action indicating a change password
>> transaction.
>>
>> I suspected a client host firewall problem (re: UDP 464), but the
>> problem continues even with no firewall rules in place.
>>
>> Has something changed with the new versions of KfW?
>>
>> Thanks.
>>
>> Mike

_____________________________________________________________________
Mike Friedman                   System and Network Security
[hidden email]          2484 Shattuck Avenue
1-510-642-1410                  University of California at Berkeley
http://ack.Berkeley.EDU/~mikef  http://security.berkeley.edu
_____________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBQxiC3K0bf1iNr4mCEQKgMACfUxcz33s0kZF2e9PnP8jvbAvB2QcAoPuo
JueMbogEsfXG7dAIEhsZ7k3R
=t4w9
-----END PGP SIGNATURE-----
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Password Changing failing from Windows to MIT KDC

Jeffrey Altman-3
Mike:

Thanks for this additional piece of information.   It is quite
possible that the issue is related to NAT affects.   I will need
to look into the reason for why a ticket containing addresses is
being obtained.   The default for KFW is to not obtain tickets
with addresses.

Jeffrey Altman


Mike Friedman wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Tue, 23 Aug 2005 at 02:45 (-0000), Jeffrey Altman wrote:
>
>> I can verify that there is a problem although I cannot determine at
>> the moment what the source of it is.  What is the most recent version
>> of KFW that you are aware works?
>
>
> Jeffrey,
>
> Further investigation by my Windows colleagues appears to reveal that
> password changing fails only when issued from a NAT'ed private IP
> address. This is true both for KfW and for native Windows Kerberos
> password changing.
>
> But this problem has apparently existed for some time with admin
> functions in general (e.g., kadmin) and not only from Windows systems.
>
> So, as it stands, we have no evidence of a new problem either with
> recent KfW releases or with a current version of the KDC.
>
> Is the problem that you say you can verify perhaps also related to
> NAT'ed private IP addresses?
>
> Mike
--
-----------------
This e-mail account is not read on a regular basis.
Please send private responses to jaltman at mit dot edu
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos
Reply | Threaded
Open this post in threaded view
|

Re: Password Changing failing from Windows to MIT KDC

Ken Hornstein
In reply to this post by Mike Friedman
>Further investigation by my Windows colleagues appears to reveal that
>password changing fails only when issued from a NAT'ed private IP address.
>This is true both for KfW and for native Windows Kerberos password
>changing.

Password changing doesn't work behind a NAT.  That's well-known (well,
except that I guess not everyone knew that :-)).  The reason is long
and complicated (short answer: password changing uses a KRB_PRIV
message, which has to have the source IP address in it, which always is
wrong behind a NAT).  This is not related to addressless tickets.  But
I thought that the Windows Kerberos password changing didn't use a
KRB_PRIV message, so maybe I'm wrong.  But the message you're getting
is definately what I saw when I ran into this problem.

Fixing this involves changing krb5_rd_priv() to ignore the source IP
address in the KRB_PRIV message.  You probably want to make this
conditional, so that you only ignore it for password changing.  You can
look at the archives (maybe this was discussed on krbdev) for the ...
"discussion" about this.  My take: I don't believe there is a security
problem with ignoring the IP address in KRB_PRIV messages for password
changing, and the amount of code to make this work is small.

--Ken
________________________________________________
Kerberos mailing list           [hidden email]
https://mailman.mit.edu/mailman/listinfo/kerberos