Anders Lennartsson <[EMAIL PROTECTED]> writes: > David Maze wrote: > >> kinit (from the MIT Kerberos packages, not Heimdal) works as I (and you) >> expect. Where does your kinit come from? >> >> which kinit >> dpkg -S `which kinit` > > This is most disturbing. After a check at my home lan where it worked, > of course, > I followed up what kinit I was using at work, where I discovered the > problem: > > ~$ type -all kinit > kinit is /usr/bin/kinit > ~$ ls -l /usr/bin/kinit > lrwxrwxrwx 1 root root 23 Sep 16 14:43 /usr/bin/kinit > -> /etc/alternatives/kinit > ~$ ls -l /etc/alternatives/kinit > lrwxrwxrwx 1 root root 27 Sep 16 14:44 > /etc/alternatives/kinit -> /usr/lib/j2se/1.4/bin/kinit
That's exciting. Digging around, I also have a kinit (and klist, but not kdestroy) alternative, but /usr/bin/kinit from krb5-user. Using Blackdown j2se1.4 mirrored from metalab.unc.edu. I don't actually know how dpkg reacts if one package thinks something is an alternative and another doesn't; my suspicion is that, since I installed Kerberos before Java, the real Kerberos won, but I don't actually know. > The problem seems to be caused by the thing I did yesterday. > For the first time ever, I installed an unofficial deb, the j2sdk1.4 > compiled with gcc-3.2, downloaded from jrfonseca.dyndns.org/debian. ...but maybe not. > Interesting thing though, the java stuff worked with mozilla as I > expected. I haven't had much luck with it, but I'm also not actually sure what gcc my JVM was compiled against. > Now should I consider the whole machine tainted, or is this only a > bug? I'd guess that it's just a bug, and if it were me, I'd just reinstall krb5-user and check that things you expect to be from that package aren't really alternatives. > With the "fake" kinit, when I write an incorrect password or none at > all, the output looks like the following: > (obviously incorrect password is here sdklakjfd) > > ~$ kinit > Password for [EMAIL PROTECTED]:sdklakjfd > Exception: krb_error 24 Pre-authentication information was invalid (24) > - PREAUTH_FAILED Pre-authentication information was invalid Right, that makes sense. In the ancient days, you asked the KDC for a TGT, and it handed you back a TGT encrypted in your password; kinit then took the password you typed in, tried to decrypt it, and if you succeeded, you were done. But this enabled an attack where you asked for a TGT, got back something encrypted, knew more-or-less what the result should look like, and could do an offline dictionary attack. So now there's an encrypted exchange where you give your password to the KDC, it checks that the password is correct, and *then* gives you the encrypted TGT; the "validate password first" step is the pre-authentication. > If I typed the correct I did actually get a TGT, at least the "fake" > klist reported so. Everything was kind of sluggish with these > programs. ...as are most things in Java, it seems. -- David Maze [EMAIL PROTECTED] http://people.debian.org/~dmaze/ "Theoretical politics is interesting. Politicking should be illegal." -- Abra Mitchell -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
