Re: "shishi user SERVICE" borked?

[Simon Josefsson]

Looks like I'm still here today...

Elrond <address@hidden> writes:

> Hi,
>
> Either I'm doing something wrong, or something is catching
> me here:
>
>       Rivendell:~% shishi address@hidden                 
>       Enter password for address@hidden': 
>       ...
>       Server:         krbtgt/W2K3DOM.SAMBA-TNG.ORG key arcfour-hmac (23)
>       Ticket key:     des-cbc-md5 (3) protected by des-cbc-md5 (3)
>       Ticket flags:   INITIAL PREAUTHENT (1536)
>       Rivendell:~% shishi address@hidden host/m3-w2k3-srv
>       Generic error from server:
>       shishi: Could not get ticket as `elrond' for `host/m3-w2k3-srv'.
>
> same against heimdal, just different error:
>
>       Error code from server:
>       Integrity check on decrypted field failed
>       shishi: Could not get ticket as `elrond' for `imap/rivendell'.
>
> heimdal-kdc.log has a simple:
>
>       Failed to verify checksum: Decrypt integrity check failed
>       Failed to verify authenticator: Decrypt integrity check failed
>
> (heimdal has preauth disabled again.)
>
> What am I doing wrong there?

I was able to reproduce this error for a while, and after fixing a
couple of things (see below), it doesn't seem to happen.  So it may
have been fixed.  If it hasn't, I need more -v -v -v -v output.

Try new 0.0.24 packages: http://josefsson.org/shishi/debian/0.0.24/

The bug was that Heimdal's ETYPE-INFO messages are corrupt, from
dumpasn1:

address@hidden:~/src/shishi/lib$ dumpasn1 i
   0  228: SEQUENCE {
   3   36:   SEQUENCE {
   5    3:     [0] {
   7    1:       INTEGER 16
         :       }
  10   24:     [1] {
  12   22:       OCTET STRING 'DOPIO.JOSEFSSON.ORGjas'
         :       }
  36    3:     [2] {
  38    1:       INTEGER 3
         :       }
         :     }
  41   36:   SEQUENCE {
  43    3:     [0] {
  45    1:       INTEGER 3
         :       }
  48   24:     [1] {
  50   22:       OCTET STRING 'DOPIO.JOSEFSSON.ORGjas'
         :       }
  74    3:     [2] {
  76    1:       INTEGER 3
         :       }
...

I.e., there is a third member that shouldn't be there, at least
according to the ASN.1 schema in RFC 4120:

   ETYPE-INFO              ::= SEQUENCE OF ETYPE-INFO-ENTRY

   ETYPE-INFO-ENTRY        ::= SEQUENCE {
           etype           [0] Int32,
           salt            [1] OCTET STRING OPTIONAL
   }

Shishi stopped processing the pre-auth data because of that, but I've
fixed this now.  One unparseable pre-auth data won't disturb
processing of other pre-auth data.  And since Heimdal send a
ETYPE-INFO2, there's no problem.

/Simon


>
>
>     Elrond
>
> p.s.: kinit elrond
>       kgetcred imap/rivendell
>       from heimdal/client works.