Re: sid: kinit showing passwd!

To: debian-user@lists.debian.org
Subject: Re: sid: kinit showing passwd!
From: David Z Maze <dmaze@debian.org>
Date: Wed, 17 Sep 2003 17:04:12 -0400
Message-id: <[🔎] 87d6dz3z5f.fsf@everett.mit.edu>
In-reply-to: <[🔎] 3F68B534.7AEDAA8A@foi.se> (Anders Lennartsson's message of "Wed, 17 Sep 2003 21:25:40 +0200")
References: <[🔎] 3F68B534.7AEDAA8A@foi.se>

Anders Lennartsson <anders.lennartsson@foi.se> writes:

> David Maze wrote:
>
>> kinit (from the MIT Kerberos packages, not Heimdal) works as I (and you)
>> expect.  Where does your kinit come from?
>>
>>  which kinit
>>  dpkg -S `which kinit`
>
> This is most disturbing. After a check at my home lan where it worked,
> of course,
> I followed up what kinit I was using at work, where I discovered the
> problem:
>
> ~$ type -all kinit
> kinit is /usr/bin/kinit
> ~$ ls -l /usr/bin/kinit 
> lrwxrwxrwx    1 root     root           23 Sep 16 14:43 /usr/bin/kinit
> -> /etc/alternatives/kinit
> ~$ ls -l /etc/alternatives/kinit 
> lrwxrwxrwx    1 root     root           27 Sep 16 14:44
> /etc/alternatives/kinit -> /usr/lib/j2se/1.4/bin/kinit

That's exciting.  Digging around, I also have a kinit (and klist, but
not kdestroy) alternative, but /usr/bin/kinit from krb5-user.  Using
Blackdown j2se1.4 mirrored from metalab.unc.edu.  I don't actually
know how dpkg reacts if one package thinks something is an alternative
and another doesn't; my suspicion is that, since I installed Kerberos
before Java, the real Kerberos won, but I don't actually know.

> The problem seems to be caused by the thing I did yesterday.
> For the first time ever, I installed an unofficial deb, the j2sdk1.4
> compiled with gcc-3.2, downloaded from jrfonseca.dyndns.org/debian.

...but maybe not.

> Interesting thing though, the java stuff worked with mozilla as I
> expected.

I haven't had much luck with it, but I'm also not actually sure what
gcc my JVM was compiled against.

> Now should I consider the whole machine tainted, or is this only a
> bug?

I'd guess that it's just a bug, and if it were me, I'd just reinstall
krb5-user and check that things you expect to be from that package
aren't really alternatives.

> With the "fake" kinit, when I write an incorrect password or none at
> all, the output looks like the following:
> (obviously incorrect password is here sdklakjfd)
>
> ~$ kinit
> Password for abel@XXXXXXX.YYY.SE:sdklakjfd
> Exception: krb_error 24 Pre-authentication information was invalid (24)
> - PREAUTH_FAILED Pre-authentication information was invalid

Right, that makes sense.  In the ancient days, you asked the KDC for a
TGT, and it handed you back a TGT encrypted in your password; kinit
then took the password you typed in, tried to decrypt it, and if you
succeeded, you were done.  But this enabled an attack where you asked
for a TGT, got back something encrypted, knew more-or-less what the
result should look like, and could do an offline dictionary attack.
So now there's an encrypted exchange where you give your password to
the KDC, it checks that the password is correct, and *then* gives you
the encrypted TGT; the "validate password first" step is the
pre-authentication.

> If I typed the correct I did actually get a TGT, at least the "fake"
> klist reported so. Everything was kind of sluggish with these
> programs.

...as are most things in Java, it seems.

-- 
David Maze         dmaze@debian.org      http://people.debian.org/~dmaze/
"Theoretical politics is interesting.  Politicking should be illegal."
	-- Abra Mitchell

Reply to:

References:
- Re: Re: sid: kinit showing passwd!
  - From: Anders Lennartsson <anders.lennartsson@foi.se>

Prev by Date: Re: valgrind-snapshot packaged (not officially)
Next by Date: Re: valgrind-snapshot packaged (not officially)
Previous by thread: Re: Re: sid: kinit showing passwd!
Next by thread: Re: sid: kinit showing passwd!
Index(es):
- Date
- Thread