Bug#604925: /usr/lib/libgssapi_krb5.so.2: cannot login to ssh after upgrade from lenny to squeeze

Thu, 09 Dec 2010 15:57:19 -0800 

Sam Hartman <[email protected]> writes:

> Hi.  At today's release meeting, MIT indicated that they are going to
> set up an OSX X test environment to reproduce this problem.  They will
> also look into whether we can ignore the PAC and remove it from the
> authdata if it fails to verify rather than failing the authentication.
> There was agreement that if we do that we need to insert a trace point
> in the PAC code so we can know that the PAC is not verified.

I have reproduced the bug against Mac OS 10.6 Server.  The following
patch appears to work (against the trunk; I believe the 1.8 release
didn't have tracing support).  Sam, does it look reasonable to you?


diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h
index 3efe0e4..43d63cc 100644
--- a/src/include/k5-trace.h
+++ b/src/include/k5-trace.h
@@ -177,6 +177,10 @@
 #define TRACE_INIT_CREDS_SERVICE(c, service) \
     TRACE(c, (c, "Setting initial creds service to {string}", service))
 
+#define TRACE_MSPAC_DISCARD_NOSVCSIG(c) \
+    TRACE(c, (c, "Discarding MS PAC due to missing service signature.  "\
+              "Apple Open Directory bug?"))
+
 #define TRACE_KT_GET_ENTRY(c, keytab, princ, vno, enctype, err) \
     TRACE(c, (c, "Retrieving {princ} from {keytab} (vno {int}, " \
               "enctype {etype}) with result: {kerr}", princ, keytab, \
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index 983b4e8..64e0d9f 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -637,8 +637,13 @@ krb5_pac_verify(krb5_context context,
         return EINVAL;
 
     ret = k5_pac_verify_server_checksum(context, pac, server);
-    if (ret != 0)
+    if (ret == ENOENT) {
+        TRACE_MSPAC_DISCARD_NOSVCSIG(context);
+        pac->verified = FALSE;
+        return 0;
+    } else if (ret != 0) {
         return ret;
+    }
 
     if (privsvr != NULL) {
         ret = k5_pac_verify_kdc_checksum(context, pac, privsvr);
@@ -977,6 +982,11 @@ mspac_get_attribute(krb5_context kcontext,
     if (*more != -1 || pacctx->pac == NULL)
         return ENOENT;
 
+    /* If it didn't verify, pretend it didn't exist. */
+    if (!pacctx->pac->verified) {
+        return ENOENT;
+    }
+
     code = mspac_attr2type(attribute, &type);
     if (code != 0)
         return code;

Reply via email to