[krbdev.mit.edu #7100] trunk a86e885 does not deal with default salt
Sam Hartman via RT
rt-comment at krbdev.mit.edu
Wed Mar 7 16:38:57 EST 2012
I have a 1.10 KDC and a principal configured as follows:
Key: vno 3, aes256-cts-hmac-sha1-96, no salt
Key: vno 3, des3-cbc-sha1, no salt
Key: vno 3, des-cbc-crc, no salt
Key: vno 3, des-cbc-md5, Version 4
Key: vno 3, des-cbc-md5, Version 5 - No Realm
Key: vno 3, des-cbc-md5, Version 5 - Realm Only
Key: vno 3, des-cbc-md5, AFS version 3
We get a decrypt integrity check failure because the salt is empty
(data 0 length 0) rather than being the default salt.
My guess is that the new ASN.1 decoder fails to distinguish an absent
salt sequence in etype_info2 from a v4 style present but empty octet
string sequence.
I'm not at all sure why regression tests don't catch this.
However setting an onlyrealm salt does seem to fix this.
More information about the krb5-bugs
mailing list