misc/117867: [heimdal] kinit generates bad tickets on multihomed
IPv6 hosts
Nathan Whitehorn
whitehorn at wisc.edu
Tue Nov 6 07:10:02 PST 2007
>Number: 117867
>Category: misc
>Synopsis: [heimdal] kinit generates bad tickets on multihomed IPv6 hosts
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Nov 06 15:10:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator: Nathan Whitehorn
>Release: 7.0-CURRENT
>Organization:
University of Wisconsin
>Environment:
FreeBSD banshee.munuc.org 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Mon Oct 8 14:34:11 CDT 2007 root at munuc.org:/usr/obj/usr/src/sys/X2100 amd64
>Description:
On systems with multiple IPv6 interfaces, kerberos tickets with addresses in them are not accepted by other hosts, with the following error:
[nwhitehorn at banshee ~]$ telnet tiburon
Trying 2001:4830:151a:d610:20f:b5ff:fefb:4219...
Connected to tiburon.munuc.org.
Escape character is '^]'.
[ Trying mutual KERBEROS5 (host/tiburon.munuc.org at MUNUC.ORG)... ]
[ Kerberos V5 refuses authentication because Read req failed: ASN.1 badly-formatted encoding ]
[ Trying KERBEROS5 (host/tiburon.munuc.org at MUNUC.ORG)... ]
[ Kerberos V5 refuses authentication because Read req failed: ASN.1 badly-formatted encoding ]
(This also happens if I connect over IPv4)
My tickets look like this:
[nwhitehorn at banshee ~]$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
Principal: nwhitehorn at MUNUC.ORG
Cache version: 4
Server: krbtgt/MUNUC.ORG at MUNUC.ORG
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Nov 6 08:54:32 2007
End time: Nov 6 18:54:32 2007
Renew till: Nov 13 08:54:32 2007
Ticket flags: renewable, initial
Addresses: IPv4:10.0.10.1, IPv6:2001:4830:151a:d610::1, IPv4:128.135.214.27, IPv4:128.135.214.16, IPv6:2001:4830:151a:d600::d610
I have also experienced this problem on a machine running FreeBSD/arm 7.0-CURRENT, one running FreeBSD/i386 5.5-STABLE, and one running 8.0-CURRENT on i386.
>How-To-Repeat:
Try to use kerberos tickets obtained on a multihomed IPv6 host.
>Fix:
Acquire the tickets with kinit --no-addresses.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list