Uploaded image for project: 'Directory Kerberos'
  1. Directory Kerberos
  2. DIRKRB-614

Kerby (simplekdc) fails to handle unknown PADATA

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.0.0-RC2
    • Fix Version/s: 1.0.1
    • Component/s: None
    • Labels:
      None
    • Environment:
      SimpleKDC

      Description

      I am using simplekdc wrapped in an application to allow CI for Apache Airflow.

      While testing I found out that on my development system (OS X - Heimdal with MIT Shim) everything worked fine, but when moving over to the CI (MIT) system it stopped working with the following error.

      2016-11-26 17:08:51,974 ERROR [pool-1-thread-3] impl.DefaultKdcHandler: Error occured while processing request:
      org.apache.kerby.kerberos.kerb.KrbException: Decoding failed
      	at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:85)
      	at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:70)
      	at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.kdcFindFast(KdcRequest.java:208)
      	at org.apache.kerby.kerberos.kerb.server.request.KdcRequest.process(KdcRequest.java:168)
      	at org.apache.kerby.kerberos.kerb.server.KdcHandler.handleMessage(KdcHandler.java:115)
      	at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.handleMessage(DefaultKdcHandler.java:67)
      	at org.apache.kerby.kerberos.kerb.server.impl.DefaultKdcHandler.run(DefaultKdcHandler.java:52)
      	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
      	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
      	at java.lang.Thread.run(Thread.java:745)
      Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, off=0, len=3+198], expecting 0x30
      	at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:210)
      	at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:197)
      	at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)
      	... 9 more
      

      Digging in with Wireshark showed that the MIT libraries are sending extra PAData which makes Kerby not respond (Wireshark records this as "Unknown 136"). This behavior can be replicated by using "kvno".

      Heimdal on OSX does not send this and gets a response.

      1. kerb.pcap
        5 kB
        Bolke de Bruin
      2. kerb_heimdal.pcapng
        6 kB
        Bolke de Bruin

        Issue Links

          Activity

          Hide
          bolke Bolke de Bruin added a comment -

          kerb.pcap = MIT trace (Failed)
          kerb_heimdal.pcapng = Heimdal OSX trace (Succesful)

          Show
          bolke Bolke de Bruin added a comment - kerb.pcap = MIT trace (Failed) kerb_heimdal.pcapng = Heimdal OSX trace (Succesful)
          Hide
          bolke Bolke de Bruin added a comment - - edited

          A similar thing happened to the MIT KDC a couple of years ago: https://krbdev.mit.edu/rt/Ticket/Display.html?id=2110

          Show
          bolke Bolke de Bruin added a comment - - edited A similar thing happened to the MIT KDC a couple of years ago: https://krbdev.mit.edu/rt/Ticket/Display.html?id=2110
          Hide
          bolke Bolke de Bruin added a comment - - edited

          I am trying this as well on the RC3-SNAPSHOT, but now also MIT kinit fails (KDC reply did not match expectations while getting initial credentials), while Heimdal's works fine.

          No errors logged in the KDC side.

          Show
          bolke Bolke de Bruin added a comment - - edited I am trying this as well on the RC3-SNAPSHOT, but now also MIT kinit fails (KDC reply did not match expectations while getting initial credentials), while Heimdal's works fine. No errors logged in the KDC side.
          Hide
          drankye Kai Zheng added a comment -

          If the PADATA is unexpectedly there then the sad thing is it's hard for Kerby to ignore it, as Kerby strictly follows the asn.1 definition in its common asn.1 underlying framework. Before to have a fix, maybe you could work around this by disabling the preauth check?

          Show
          drankye Kai Zheng added a comment - If the PADATA is unexpectedly there then the sad thing is it's hard for Kerby to ignore it, as Kerby strictly follows the asn.1 definition in its common asn.1 underlying framework. Before to have a fix, maybe you could work around this by disabling the preauth check?
          Hide
          coheigea Colm O hEigeartaigh added a comment -

          Hi Kai Zheng,

          I've run in to this problem as well when using "curl --negotiate" with Kerby. I see the following error with 1.0.0:

          Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, off=0, len=3+207], expecting 0x30
          at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:220)
          at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:207)
          at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83)

          Do we know what the unknown PADATA is and how other KDCs handle it?

          By the way, with regards to your comment about disabling the preauth check, this does not work. KdcRequest.kdcFindFast is called even if preauthcontext.isPreauthRequired() is false.

          Show
          coheigea Colm O hEigeartaigh added a comment - Hi Kai Zheng , I've run in to this problem as well when using "curl --negotiate" with Kerby. I see the following error with 1.0.0: Caused by: java.io.IOException: Unexpected item context [0] [tag=0xA0, off=0, len=3+207] , expecting 0x30 at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:220) at org.apache.kerby.asn1.type.Asn1Encodeable.decode(Asn1Encodeable.java:207) at org.apache.kerby.kerberos.kerb.KrbCodec.decode(KrbCodec.java:83) Do we know what the unknown PADATA is and how other KDCs handle it? By the way, with regards to your comment about disabling the preauth check, this does not work. KdcRequest.kdcFindFast is called even if preauthcontext.isPreauthRequired() is false.
          Hide
          drankye Kai Zheng added a comment -

          Hi Colm O hEigeartaigh,

          Looks like two issues were exposed here, one is the decoding issue for the unknown PADATA, the other is, we probably shouldn't run into the FAST things given the preauth is disabled.

          Hope we can get to this sooner. Sorry for the late.

          Show
          drankye Kai Zheng added a comment - Hi Colm O hEigeartaigh , Looks like two issues were exposed here, one is the decoding issue for the unknown PADATA, the other is, we probably shouldn't run into the FAST things given the preauth is disabled. Hope we can get to this sooner. Sorry for the late.
          Hide
          jiajia Jiajia Li added a comment -

          Thanks Bolke for reporting this issue and thanks for Colm and Kai's comments, I will close this issue because Colm O hEigeartaigh and Marc de Lignie have checked the fix.

          Show
          jiajia Jiajia Li added a comment - Thanks Bolke for reporting this issue and thanks for Colm and Kai's comments, I will close this issue because Colm O hEigeartaigh and Marc de Lignie have checked the fix.
          Hide
          jiajia Jiajia Li added a comment -

          commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4
          Author: plusplusjiajia <jiajia.li@intel.com>
          Date: Wed Jun 14 10:43:46 2017 +0800

          Fix DIRKRB-614 and DIRKRB-631.

          Show
          jiajia Jiajia Li added a comment - commit a6224d2cf60e8e18ba5e307f1a4a2bc4c01a55b4 Author: plusplusjiajia <jiajia.li@intel.com> Date: Wed Jun 14 10:43:46 2017 +0800 Fix DIRKRB-614 and DIRKRB-631 .

            People

            • Assignee:
              jiajia Jiajia Li
              Reporter:
              bolke Bolke de Bruin
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development