Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 6 Nov 2007 15:01:55 GMT
From:      Nathan Whitehorn <whitehorn@wisc.edu>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   misc/117867: [heimdal] kinit generates bad tickets on multihomed IPv6 hosts
Message-ID:  <200711061501.lA6F1tDi013890@www.freebsd.org>
Resent-Message-ID: <200711061510.lA6FA1XN040947@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         117867
>Category:       misc
>Synopsis:       [heimdal] kinit generates bad tickets on multihomed IPv6 hosts
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 06 15:10:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Nathan Whitehorn
>Release:        7.0-CURRENT
>Organization:
University of Wisconsin
>Environment:
FreeBSD banshee.munuc.org 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Mon Oct  8 14:34:11 CDT 2007     root@munuc.org:/usr/obj/usr/src/sys/X2100  amd64
>Description:
On systems with multiple IPv6 interfaces, kerberos tickets with addresses in them are not accepted by other hosts, with the following error:

[nwhitehorn@banshee ~]$ telnet tiburon   
Trying 2001:4830:151a:d610:20f:b5ff:fefb:4219...
Connected to tiburon.munuc.org.
Escape character is '^]'.
[ Trying mutual KERBEROS5 (host/tiburon.munuc.org@MUNUC.ORG)... ]
[ Kerberos V5 refuses authentication because Read req failed: ASN.1 badly-formatted encoding ]
[ Trying KERBEROS5 (host/tiburon.munuc.org@MUNUC.ORG)... ]
[ Kerberos V5 refuses authentication because Read req failed: ASN.1 badly-formatted encoding ]

(This also happens if I connect over IPv4)

My tickets look like this:

[nwhitehorn@banshee ~]$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: nwhitehorn@MUNUC.ORG
    Cache version: 4

Server: krbtgt/MUNUC.ORG@MUNUC.ORG
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Nov  6 08:54:32 2007
End time:   Nov  6 18:54:32 2007
Renew till: Nov 13 08:54:32 2007
Ticket flags: renewable, initial
Addresses: IPv4:10.0.10.1, IPv6:2001:4830:151a:d610::1, IPv4:128.135.214.27, IPv4:128.135.214.16, IPv6:2001:4830:151a:d600::d610

I have also experienced this problem on a machine running FreeBSD/arm 7.0-CURRENT, one running FreeBSD/i386 5.5-STABLE, and one running 8.0-CURRENT on i386.
>How-To-Repeat:
Try to use kerberos tickets obtained on a multihomed IPv6 host.
>Fix:
Acquire the tickets with kinit --no-addresses.

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200711061501.lA6F1tDi013890>