After failed auth, subsequent auths in same context fail

Bug #988520 reported by Russ Allbery on 2012-04-25
32
This bug affects 4 people
Affects Status Importance Assigned to Milestone
krb5 (Debian)
Fix Released
Unknown
krb5 (Ubuntu)
Medium
Unassigned
Precise
Medium
Unassigned

Bug Description

SRU Justification

[Impact]

If an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail. This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.

[Development Fix]

New upstream release. Updated in Debian. Synced in Ubuntu. Verified fixed on Quantal using test case below.

[Stable Fix]

Upstream patch cherry-picked. Debdiff attached.

[Test Case]

testcase.sh attached.

[Regression Potential]

Low: one line patch for missing initialisation written by upstream.

Original report by Russ Allbery:

MIT Kerberos 1.10 (including pre-releases and betas) exposed a bug in the tracking of preauth mechanisms such that, if an authentication fails after preauth was requested, all subsequent preauth-required authentications in the same Kerberos context will also fail.

This breaks password change when credentials have expired, and also breaks try_first_pass functionality in Kerberos PAM modules.

Upstream has fixed this problem in their mainline with commit 25822.

James Page (james-page) wrote :

Thanks for taking the time to report this bug in Ubuntu.

As 12.04 is running 1.10+dfsg~beta1 we will need to pickup this fix.

Fix: http://src.mit.edu/fisheye/changelog/krb5/?cs=25822

Upstream bug: http://krbdev.mit.edu/rt/Ticket/Display.html?id=7119

Changed in krb5 (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
James Page (james-page) wrote :

Russ

In order to put this fix into Ubuntu 12.04 we will need a good test case to reproduce the issue.

Is this something you could provide?

Thanks

Changed in krb5 (Ubuntu):
status: Confirmed → Incomplete
Changed in krb5 (Debian):
status: Unknown → New
Russ Allbery (rra-debian) wrote :

I have a test case, but I'm not sure you'll particularly enjoy it, since it isn't in a neatly isolated form. But if you:

    git clone git://git.eyrie.org/kerberos/pam-krb5.git
    cd pam-krb5
    ./autogen
    ./configure

and then add the username and password of an account in a test Kerberos realm to tests/config/password following the instructions in tests/config/README, and then run:

    make check

you will find that the bad-authtok test fails as follows:

module/bad-authtok......FAILED 9-10, 13, 34-35, 41-49

This is how I found the problem originally.

The problem is not reproducible without having access to a Kerberos realm to use to test with, unfortunately, since you have to be able to try a failed and then successful authetnication to see the problem.

Changed in krb5 (Debian):
status: New → Fix Committed
Changed in krb5 (Debian):
status: Fix Committed → Fix Released
Robie Basak (racb) wrote :

Russ: thanks for the test case! I've turned this into a script that doesn't depend on an existing Kerberos realm. But the script does rely on git.eyrie.org as the current Debian pam-krb5 doesn't appear to have the test that we need.

I've used the test case to verify that this bug is fixed if I build and install the latest Debian 1.10.1+dfsg-1 in Ubuntu by hand. Thus this bug will be fixed in the development release of Ubuntu as soon as we resync from Debian.

I've also prepared an SRU for precise, test built it, and tested both upgrade and fresh install using the test case.

Robie Basak (racb) wrote :
Robie Basak (racb) wrote :
Robie Basak (racb) on 2012-05-15
description: updated
Changed in krb5 (Ubuntu):
status: Incomplete → Triaged
Russ Allbery (rra-debian) wrote :

Oh, wow, great job with the test case. It wouldn't have occurred to me to just do that. (And yes, you have to use the Git version because I've been adding a ton of new tests compared to the latest full release.)

The attachment "krb5.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Robie Basak (racb) wrote :

Verified fixed on Quantal. Just need the SRU for Precise now. Note that the test script fails some other tests. This bug addresses the "module/bad-authtok" test only.

description: updated
Changed in krb5 (Ubuntu):
status: Triaged → Fix Released
Robie Basak (racb) on 2012-05-23
Changed in krb5 (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
Brian Murray (brian-murray) wrote :

I've uploaded the debdiff to precise-proposed.

Hello Russ, or anyone else affected,

Accepted krb5 into precise-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in krb5 (Ubuntu Precise):
status: Triaged → Fix Committed
tags: added: verification-needed
Robie Basak (racb) wrote :

The test cases passes from -proposed. I've successfully tested both a fresh install and an upgrade with the test case I attached above.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package krb5 - 1.10+dfsg~beta1-2ubuntu0.1

---------------
krb5 (1.10+dfsg~beta1-2ubuntu0.1) precise-proposed; urgency=low

  * debian/patches/preauth-context.patch: fix preauth context initialisation
    (LP: #988520).
 -- Robie Basak <email address hidden> Tue, 15 May 2012 02:33:57 +0000

Changed in krb5 (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.