[DIRKRB-621] 0x502 version keytab with multiple entries are not read properly - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.0.0
Component/s: None
Labels:
None

Description

I have a version 0x502 keytab that contains multiple principles with multiple entries.

[root@65027d995418 /]# klist -ket test.keytab 
Keytab name: FILE:test.keytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 04/11/17 14:16:34 test/examples.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   3 04/11/17 14:16:34 test/examples.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   3 04/11/17 14:16:34 test/examples.com@EXAMPLE.COM (des3-cbc-sha1) 
   3 04/11/17 14:16:34 test/examples.com@EXAMPLE.COM (arcfour-hmac) 
   3 04/11/17 14:16:34 test/examples.com@EXAMPLE.COM (camellia256-cts-cmac) 
   3 04/11/17 14:16:34 test/examples.com@EXAMPLE.COM (camellia128-cts-cmac) 
   3 04/11/17 14:16:34 test/examples.com@EXAMPLE.COM (des-hmac-sha1) 
   3 04/11/17 14:16:34 test/examples.com@EXAMPLE.COM (des-cbc-md5) 
   3 04/11/17 14:16:51 HTTP/examples.com@EXAMPLE.COM (aes256-cts-hmac-sha1-96) 
   3 04/11/17 14:16:52 HTTP/examples.com@EXAMPLE.COM (aes128-cts-hmac-sha1-96) 
   3 04/11/17 14:16:52 HTTP/examples.com@EXAMPLE.COM (des3-cbc-sha1) 
   3 04/11/17 14:16:52 HTTP/examples.com@EXAMPLE.COM (arcfour-hmac) 
   3 04/11/17 14:16:52 HTTP/examples.com@EXAMPLE.COM (camellia256-cts-cmac) 
   3 04/11/17 14:16:52 HTTP/examples.com@EXAMPLE.COM (camellia128-cts-cmac) 
   3 04/11/17 14:16:52 HTTP/examples.com@EXAMPLE.COM (des-hmac-sha1) 
   3 04/11/17 14:16:52 HTTP/examples.com@EXAMPLE.COM (des-cbc-md5)

org.apache.kerby.kerberos.kerb.keytab.KeyTab readEntry() is only able to read the first entry properly.

On https://web.mit.edu/kerberos/krb5-1.12/doc/formats/keytab_file_format.html, we can read the following:

Some implementations of Kerberos recognize a 32-bit key version at the end of an entry, if the record length is at least 4 bytes longer than the entry and the value of those 32 bits is not 0. If present, this key version supersedes the 8-bit key version.

Looking at https://www.gnu.org/software/shishi/manual/html_node/The-Keytab-Binary-File-Format.html,
it seems uint32_t vno; /* only present if >= 4 bytes left in entry */ is not handled in the load() method of org.apache.kerby.kerberos.kerb.keytab.KeytabEntry.

With the example keytab I generated, this is exactly the case. We need to read an additional in order to properly read in the entries for the principals.

Additional info:
Kerberos packages I installed on centos-release-7-3

krb5-devel.x86_64                        1.14.1-27.el7_3                
krb5-libs.x86_64                         1.14.1-27.el7_3                
krb5-server.x86_64                       1.14.1-27.el7_3                
krb5-workstation.x86_64                  1.14.1-27.el7_3

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

test_multiple_entries.keytab
11/Apr/17 16:45
1 kB
Attila Sasvári
DIRKRB-621-02.patch
13/Apr/17 18:35
15 kB
Attila Sasvári
DIRKRB-621-01.patch
12/Apr/17 14:08
14 kB
Attila Sasvári
DIRKRB-621-00.patch
11/Apr/17 16:48
4 kB
Attila Sasvári

Issue Links

is depended upon by

HADOOP-14426 Upgrade Kerby version from 1.0.0-RC2 to 1.0.0

Resolved

is duplicated by

DIRKRB-622 Kerby does not skip empty parts of a keytab entry

Resolved

Activity

People

Assignee:: Attila Sasvári

Reporter:: Attila Sasvári

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 11/Apr/17 16:45

Updated:: 16/May/17 07:56

Resolved:: 19/Apr/17 06:42