Ubuntu

krb5-kdc-ldap plugin crashes krb5-kdc sometimes when password policy is set

Reported by Mark Deneen on 2011-02-09
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
krb5 (Ubuntu)
Medium
Unassigned

Bug Description

Binary package hint: krb5-kdc

I have a krb5kdc server running, using openldap as a data store. This works great and, for most clients, it is fine. I have a password policy set as follows:

krbMaxPwdLife: 3628800
krbMinPwdLife: 0
krbPwdMinDiffChars: 1
krbPwdMinLength: 6
krbPwdHistoryLength: 3
krbPwdMaxFailure: 20
krbPwdFailureCountInterval: 0
krbPwdLockoutDuration: 8

I have a zimbra server running, configured to use kerberos5 for authentication. This appears to be working. I left a mail client (Thunderbird) running, periodically checking for new messages. After a few hours, krb5kdc crashed. I ran it through strace and found the following:

krb5kdc: ../../../../../ src/plugins/kdb/ldap/libkdb_ldap/lockout.c:161: krb5_ldap_lockout_audit: Assertion '!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed..

I took a peek at the code, but the assertion line didn't mean that much to me. It did point me to the krbPwdLockoutDuration setting. Looking at it now, I sure hope that it represents minutes.

Regardless, it shouldn't be possible to crash the KDC and I can now do it very reliably. Any idea what the assertion is checking for and what I can do to prevent this from happening?

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.4
ProcVersionSignature: Ubuntu 2.6.32-23.37-server 2.6.32.15+drm33.5
Uname: Linux 2.6.32-23-server x86_64
Architecture: amd64
Date: Tue Feb 8 22:53:43 2011
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
ProcEnviron:
 PATH=(custom, no user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: krb5

Mark Deneen (mdeneen) wrote :
Mark Deneen (mdeneen) wrote :

If this allows an attacker to cause a DoS by crashing the kdc, should I have checked on the "Security issue" checkbox?

Mark Deneen (mdeneen) wrote :

I built 1.8.3 from the natty source package, but the problem still exists in that version.

Mark Deneen (mdeneen) wrote :

I built 1.9.0 with the debian package diff from the Debian experimental repository. The problem exists there as well.

>>>>> "Mark" == Mark Deneen <email address hidden> writes:

    Mark> I built 1.8.3 from the natty source package, but the problem
    Mark> still exists in that version.

If you're comfortable trying a package out of my PPA (I'm the Debian
krb5 maintainer and a member of the upstream core team)
Take a look at the 1.9 packages in
https://launchpad.net/~hartmans/+archive/krb5

I think there are some upstream changes in 1.9 in this area to improve
similar issues.

--Sam

Mark Deneen (mdeneen) wrote :

Sam, I'll give it a shot.

Mark Deneen (mdeneen) wrote :

Sam,

Same result:

<pre>
 | 00000 6b 72 62 35 6b 64 63 3a 20 2e 2e 2f 2e 2e 2f 2e krb5kdc: ../../. |
 | 00010 2e 2f 2e 2e 2f 2e 2e 2f 73 72 63 2f 70 6c 75 67 ./../../ src/plug |
 | 00020 69 6e 73 2f 6b 64 62 2f 6c 64 61 70 2f 6c 69 62 ins/kdb/ ldap/lib |
 | 00030 6b 64 62 5f 6c 64 61 70 2f 6c 6f 63 6b 6f 75 74 kdb_ldap /lockout |
 | 00040 2e 63 3a 31 37 38 3a 20 6b 72 62 35 5f 6c 64 61 .c:178: krb5_lda |
 | 00050 70 5f 6c 6f 63 6b 6f 75 74 5f 61 75 64 69 74 3a p_lockou t_audit: |
 | 00060 20 41 73 73 65 72 74 69 6f 6e 20 60 21 6c 6f 63 Asserti on `!loc |
 | 00070 6b 65 64 5f 63 68 65 63 6b 5f 70 28 63 6f 6e 74 ked_chec k_p(cont |
 | 00080 65 78 74 2c 20 73 74 61 6d 70 2c 20 6d 61 78 5f ext, sta mp, max_ |
 | 00090 66 61 69 6c 2c 20 6c 6f 63 6b 6f 75 74 5f 64 75 fail, lo ckout_du |
 | 000a0 72 61 74 69 6f 6e 2c 20 65 6e 74 72 79 29 27 20 ration, entry)' |
 | 000b0 66 61 69 6c 65 64 2e 0a failed.. |
</pre>

(I don't know if launchpad supports html formatting, so let's see what I get)

Do you know what this assertion is trying to prevent? Perhaps it is a configuration problem on my end.

Sam Hartman (hartmans) wrote :

>>>>> "Mark" == Mark Deneen <email address hidden> writes:

    Mark> Sam, I'll give it a shot. -- You received this bug
    Mark> notification because you are subscribed to krb5 in ubuntu.
    Mark> https://bugs.launchpad.net/bugs/715579

I'm sorry I asked you to do this.
I didn't see your note that you had already tried 1.9.
OK, so this is presumably an upstream issue.

I know that several of the upstream developers monitor the Ubuntu bugs.
I will not have time to look into it a fire while, but hopefully others
will.

Mark Deneen (mdeneen) wrote :

Sam,

I destroyed my thunderbird profile and recreated it. The KDC is no longer crashing, so that's good, but it shouldn't be possible for any application to remotely cause the KDC to quit.

I'll let thunderbird run for a bit and see if I experience the same problem.

Thanks again.

-M

Scott Moser (smoser) on 2011-03-10
Changed in krb5 (Ubuntu):
importance: Undecided → Medium
status: New → Confirmed
Mark Deneen (mdeneen) wrote :

I just wanted to note that in my environment, this is happening many times a day. I run the kdc through runit, so things get restarted immediately, but something is clearly wrong:

2011-05-27_11:21:32.11310 krb5kdc: starting...
2011-05-27_11:22:01.99218 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_11:22:02.01489 krb5kdc: starting...
2011-05-27_11:22:34.82072 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_11:22:34.84385 krb5kdc: starting...
2011-05-27_11:23:04.85051 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_11:23:04.87166 krb5kdc: starting...
2011-05-27_13:41:47.11749 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:41:47.13390 krb5kdc: starting...
2011-05-27_13:42:15.83151 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:42:15.84522 krb5kdc: starting...
2011-05-27_13:42:17.12465 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:42:17.14709 krb5kdc: starting...
2011-05-27_13:42:47.15550 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:42:47.16933 krb5kdc: starting...
2011-05-27_13:42:59.14972 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:42:59.17231 krb5kdc: starting...
2011-05-27_13:43:21.32805 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:43:21.33698 krb5kdc: starting...
2011-05-27_13:43:29.18399 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:43:29.20055 krb5kdc: starting...
2011-05-27_13:43:51.35396 krb5kdc: ../../../../../src/plugins/kdb/ldap/libkdb_ldap/lockout.c:178: krb5_ldap_lockout_audit: Assertion `!locked_check_p(context, stamp, max_fail, lockout_duration, entry)' failed.
2011-05-27_13:43:51.38001 krb5kdc: starting...

Any idea what the assertion is trying to prevent? Should I contact the upstream developers?

Jamie Strandboge (jdstrand) wrote :

This should be fixed with http://www.ubuntu.com/usn/usn-1233-1/

Changed in krb5 (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers