Author: erodriguez
Date: Tue Feb 8 21:11:12 2005
New Revision: 153017
URL: http://svn.apache.org/viewcvs?view=rev&rev=153017
Log:
Updated the Kerberos protocol to return explanatory recovery information after
a request failure. By default the Linux krb5 libs will not attempt
pre-authentication until they receive a KRB_ERROR noting that
pre-authentication is required as well as the preferred encryption types.
Pre-authentication now works with Linux kerberos tools, console logins, and
services such as SSHD. Tested on Fedora Core 2 and 3.
Added:
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/EncryptionTypeInfoEncoder.java
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/KdcErrorPreauthRequired.java
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/messages/value/EncryptionTypeInfoEntry.java
Modified:
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/PreAuthenticationDataEncoder.java
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/AuthenticationService.java
Added:
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/EncryptionTypeInfoEncoder.java
URL:
http://svn.apache.org/viewcvs/incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/EncryptionTypeInfoEncoder.java?view=auto&rev=153017
==============================================================================
---
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/EncryptionTypeInfoEncoder.java
(added)
+++
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/EncryptionTypeInfoEncoder.java
Tue Feb 8 21:11:12 2005
@@ -0,0 +1,79 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.kerberos.io.encoder;
+
+import java.io.ByteArrayOutputStream;
+import java.io.IOException;
+
+import org.apache.asn1.der.ASN1OutputStream;
+import org.apache.asn1.der.DERInteger;
+import org.apache.asn1.der.DEROctetString;
+import org.apache.asn1.der.DERSequence;
+import org.apache.asn1.der.DERTaggedObject;
+import org.apache.kerberos.messages.value.EncryptionTypeInfoEntry;
+
+
+public class EncryptionTypeInfoEncoder
+{
+ public static byte[] encode( EncryptionTypeInfoEntry[] entries )
+ throws IOException
+ {
+ ByteArrayOutputStream baos = new ByteArrayOutputStream();
+ ASN1OutputStream aos = new ASN1OutputStream( baos );
+ aos.writeObject( encodeSequence( entries ) );
+ aos.close();
+
+ return baos.toByteArray();
+ }
+
+ /**
+ * ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY
+ */
+ protected static DERSequence encodeSequence( EncryptionTypeInfoEntry[]
entries )
+ {
+ DERSequence sequence = new DERSequence();
+
+ for ( int ii = 0; ii < entries.length; ii++ )
+ {
+ sequence.add( encode( entries[ ii ] ) );
+ }
+
+ return sequence;
+ }
+
+ /**
+ * ETYPE-INFO-ENTRY ::= SEQUENCE {
+ * etype [0] Int32,
+ * salt [1] OCTET STRING OPTIONAL
+ * }
+ */
+ protected static DERSequence encode( EncryptionTypeInfoEntry entry )
+ {
+ DERSequence sequence = new DERSequence();
+
+ sequence.add( new DERTaggedObject( 0, DERInteger.valueOf(
entry.getEncryptionType().getOrdinal() ) ) );
+
+ if ( entry.getSalt() != null )
+ {
+ sequence.add( new DERTaggedObject( 1, new DEROctetString(
entry.getSalt() ) ) );
+ }
+
+ return sequence;
+ }
+}
+
Modified:
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/PreAuthenticationDataEncoder.java
URL:
http://svn.apache.org/viewcvs/incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/PreAuthenticationDataEncoder.java?view=diff&r1=153016&r2=153017
==============================================================================
---
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/PreAuthenticationDataEncoder.java
(original)
+++
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/io/encoder/PreAuthenticationDataEncoder.java
Tue Feb 8 21:11:12 2005
@@ -30,29 +30,46 @@
public class PreAuthenticationDataEncoder
{
- public byte[] encode( PreAuthenticationData preAuth ) throws IOException
+ public static byte[] encode( PreAuthenticationData[] preAuth )
+ throws IOException
{
ByteArrayOutputStream baos = new ByteArrayOutputStream();
ASN1OutputStream aos = new ASN1OutputStream( baos );
- aos.writeObject( encodePreAuth( preAuth ) );
+ aos.writeObject( encodeSequence( preAuth ) );
aos.close();
return baos.toByteArray();
}
+ protected static DERSequence encodeSequence( PreAuthenticationData[]
preAuth )
+ {
+ DERSequence sequence = new DERSequence();
+
+ for ( int ii = 0; ii < preAuth.length; ii++ )
+ {
+ sequence.add( encode( preAuth[ ii ] ) );
+ }
+
+ return sequence;
+ }
+
/**
* PA-DATA ::= SEQUENCE {
* padata-type[1] INTEGER,
* padata-value[2] OCTET STRING
* }
*/
- private DERSequence encodePreAuth( PreAuthenticationData preAuth )
+ protected static DERSequence encode( PreAuthenticationData preAuth )
{
DERSequence sequence = new DERSequence();
sequence.add( new DERTaggedObject( 1, DERInteger.valueOf(
preAuth.getDataType().getOrdinal() ) ) );
- sequence.add( new DERTaggedObject( 2, new DEROctetString(
preAuth.getDataValue() ) ) );
+
+ if ( preAuth.getDataValue() != null )
+ {
+ sequence.add( new DERTaggedObject( 2, new DEROctetString(
preAuth.getDataValue() ) ) );
+ }
return sequence;
}
Modified:
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/AuthenticationService.java
URL:
http://svn.apache.org/viewcvs/incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/AuthenticationService.java?view=diff&r1=153016&r2=153017
==============================================================================
---
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/AuthenticationService.java
(original)
+++
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/AuthenticationService.java
Tue Feb 8 21:11:12 2005
@@ -30,6 +30,8 @@
import org.apache.kerberos.io.decoder.EncryptedTimestampDecoder;
import org.apache.kerberos.io.encoder.EncAsRepPartEncoder;
import org.apache.kerberos.io.encoder.EncTicketPartEncoder;
+import org.apache.kerberos.io.encoder.EncryptionTypeInfoEncoder;
+import org.apache.kerberos.io.encoder.PreAuthenticationDataEncoder;
import org.apache.kerberos.kdc.store.PrincipalStore;
import org.apache.kerberos.kdc.store.PrincipalStoreEntry;
import org.apache.kerberos.messages.AuthenticationReply;
@@ -40,10 +42,12 @@
import org.apache.kerberos.messages.value.EncryptedData;
import org.apache.kerberos.messages.value.EncryptedTimeStamp;
import org.apache.kerberos.messages.value.EncryptionKey;
+import org.apache.kerberos.messages.value.EncryptionTypeInfoEntry;
import org.apache.kerberos.messages.value.KdcOptions;
import org.apache.kerberos.messages.value.KerberosTime;
import org.apache.kerberos.messages.value.LastRequest;
import org.apache.kerberos.messages.value.PreAuthenticationData;
+import org.apache.kerberos.messages.value.PreAuthenticationDataModifier;
import org.apache.kerberos.messages.value.PreAuthenticationDataType;
import org.apache.kerberos.messages.value.TicketFlags;
import org.apache.kerberos.messages.value.TransitedEncoding;
@@ -104,7 +108,7 @@
if ( preAuthData == null )
{
- throw KerberosException.KDC_ERR_PREAUTH_REQUIRED;
+ throw new KdcErrorPreauthRequired(
preparePreAuthenticationError() );
}
EncryptedTimeStamp timestamp = null;
@@ -137,7 +141,7 @@
if ( timestamp == null )
{
- throw KerberosException.KDC_ERR_PREAUTH_REQUIRED;
+ throw new KdcErrorPreauthRequired(
preparePreAuthenticationError() );
}
if ( !timestamp.getTimeStamp().isInClockSkew(
config.getClockSkew() ) )
@@ -183,6 +187,48 @@
System.out.println( "Ticket will be issued to client " +
clientPrincipal.toString() + "." );
return clientKey;
+ }
+
+ private byte[] preparePreAuthenticationError()
+ {
+ PreAuthenticationData[] paDataSequence = new PreAuthenticationData[
2 ];
+
+ PreAuthenticationDataModifier modifier = new
PreAuthenticationDataModifier();
+ modifier.setDataType( PreAuthenticationDataType.PA_ENC_TIMESTAMP );
+ modifier.setDataValue( new byte[ 0 ] );
+
+ paDataSequence[ 0 ] = modifier.getPreAuthenticationData();
+
+ EncryptionTypeInfoEntry[] entries = new EncryptionTypeInfoEntry[ 1
];
+ entries[ 0 ] = new EncryptionTypeInfoEntry(
EncryptionType.DES_CBC_MD5, null );
+
+ byte[] encTypeInfo = null;
+
+ try
+ {
+ encTypeInfo = EncryptionTypeInfoEncoder.encode( entries );
+ }
+ catch (IOException ioe)
+ {
+ ioe.printStackTrace();
+ return null;
+ }
+
+ PreAuthenticationDataModifier encTypeModifier = new
PreAuthenticationDataModifier();
+ encTypeModifier.setDataType(
PreAuthenticationDataType.PA_ENCTYPE_INFO );
+ encTypeModifier.setDataValue( encTypeInfo );
+
+ paDataSequence[ 1 ] = encTypeModifier.getPreAuthenticationData();
+
+ try
+ {
+ return PreAuthenticationDataEncoder.encode( paDataSequence );
+ }
+ catch (IOException ioe)
+ {
+ ioe.printStackTrace();
+ return null;
+ }
}
// TODO - client and server parameters; requires store
Added:
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/KdcErrorPreauthRequired.java
URL:
http://svn.apache.org/viewcvs/incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/KdcErrorPreauthRequired.java?view=auto&rev=153017
==============================================================================
---
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/KdcErrorPreauthRequired.java
(added)
+++
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/kdc/KdcErrorPreauthRequired.java
Tue Feb 8 21:11:12 2005
@@ -0,0 +1,43 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.kerberos.kdc;
+
+/**
+ * A Kerberos exception representing the requirement of pre-authentication by
the client.
+ *
+ * @author <a href="mailto:[EMAIL PROTECTED]">Apache Directory Project</a>
+ * @version $Rev$
+ */
+public class KdcErrorPreauthRequired extends KerberosException
+{
+ /** the code associated with this protocol error */
+ public static final int CODE = 25;
+
+ /** the standard message associated with this protocol error */
+ public static final String MSG = "Additional pre-authentication required";
+
+
+ /**
+ * Creates an exception representing the requirement of pre-authentication
by the client.
+ */
+ public KdcErrorPreauthRequired( byte[] explanatoryData )
+ {
+ super( CODE, MSG, explanatoryData );
+ }
+}
+
Added:
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/messages/value/EncryptionTypeInfoEntry.java
URL:
http://svn.apache.org/viewcvs/incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/messages/value/EncryptionTypeInfoEntry.java?view=auto&rev=153017
==============================================================================
---
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/messages/value/EncryptionTypeInfoEntry.java
(added)
+++
incubator/directory/protocols/kerberos/trunk/core/src/java/org/apache/kerberos/messages/value/EncryptionTypeInfoEntry.java
Tue Feb 8 21:11:12 2005
@@ -0,0 +1,46 @@
+/*
+ * Copyright 2005 The Apache Software Foundation
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.kerberos.messages.value;
+
+import org.apache.kerberos.crypto.encryption.EncryptionType;
+
+
+public class EncryptionTypeInfoEntry
+{
+ private EncryptionType encryptionType;
+ private byte[] salt;
+
+
+ public EncryptionTypeInfoEntry( EncryptionType encryptionType, byte[]
salt )
+ {
+ this.encryptionType = encryptionType;
+ this.salt = salt;
+ }
+
+
+ public byte[] getSalt()
+ {
+ return salt;
+ }
+
+ public EncryptionType getEncryptionType()
+ {
+ return encryptionType;
+ }
+}
+
