misc/117867: [heimdal] kinit generates bad tickets on multihomed IPv6 hosts

Nathan Whitehorn whitehorn at wisc.edu
Tue Nov 6 07:10:02 PST 2007 

>Number:         117867
>Category:       misc
>Synopsis:       [heimdal] kinit generates bad tickets on multihomed IPv6 hosts
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Nov 06 15:10:01 UTC 2007
>Closed-Date:
>Last-Modified:
>Originator:     Nathan Whitehorn
>Release:        7.0-CURRENT
>Organization:
University of Wisconsin
>Environment:
FreeBSD banshee.munuc.org 7.0-CURRENT FreeBSD 7.0-CURRENT #0: Mon Oct  8 14:34:11 CDT 2007     root at munuc.org:/usr/obj/usr/src/sys/X2100  amd64
>Description:
On systems with multiple IPv6 interfaces, kerberos tickets with addresses in them are not accepted by other hosts, with the following error:

[nwhitehorn at banshee ~]$ telnet tiburon   
Trying 2001:4830:151a:d610:20f:b5ff:fefb:4219...
Connected to tiburon.munuc.org.
Escape character is '^]'.
[ Trying mutual KERBEROS5 (host/tiburon.munuc.org at MUNUC.ORG)... ]
[ Kerberos V5 refuses authentication because Read req failed: ASN.1 badly-formatted encoding ]
[ Trying KERBEROS5 (host/tiburon.munuc.org at MUNUC.ORG)... ]
[ Kerberos V5 refuses authentication because Read req failed: ASN.1 badly-formatted encoding ]

(This also happens if I connect over IPv4)

My tickets look like this:

[nwhitehorn at banshee ~]$ klist -v
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: nwhitehorn at MUNUC.ORG
    Cache version: 4

Server: krbtgt/MUNUC.ORG at MUNUC.ORG
Ticket etype: des3-cbc-sha1, kvno 1
Auth time:  Nov  6 08:54:32 2007
End time:   Nov  6 18:54:32 2007
Renew till: Nov 13 08:54:32 2007
Ticket flags: renewable, initial
Addresses: IPv4:10.0.10.1, IPv6:2001:4830:151a:d610::1, IPv4:128.135.214.27, IPv4:128.135.214.16, IPv6:2001:4830:151a:d600::d610

I have also experienced this problem on a machine running FreeBSD/arm 7.0-CURRENT, one running FreeBSD/i386 5.5-STABLE, and one running 8.0-CURRENT on i386.
>How-To-Repeat:
Try to use kerberos tickets obtained on a multihomed IPv6 host.
>Fix:
Acquire the tickets with kinit --no-addresses.

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list