svn rev #22356: trunk/src/lib/krb5/krb/
ghudson@MIT.EDU
ghudson at MIT.EDU
Tue May 19 19:17:50 EDT 2009
http://src.mit.edu/fisheye/changelog/krb5/?cs=22356
Commit By: ghudson
Log Message:
ticket: 6490
status: open
tags: pullup
When using keyed checksum types with TGS subkeys, Microsoft AD 2003
verifies the checksum using the subkey, whereas MIT and Heimdal verify
it using the TGS session key. (RFC 4120 is actually silent on which
is correct; RFC 4757 specifies the TGS session key.) To sidestep this
interop issue, don't use keyed checksum types with RC4 keys without
explicit configuration in krb5.conf. Using keyed checksum types with
AES is fine since, experimentally, AD 2008 accepts checksums keyed
with the TGS session key.
Changed Files:
U trunk/src/lib/krb5/krb/send_tgs.c
Modified: trunk/src/lib/krb5/krb/send_tgs.c
===================================================================
--- trunk/src/lib/krb5/krb/send_tgs.c 2009-05-18 23:28:53 UTC (rev 22355)
+++ trunk/src/lib/krb5/krb/send_tgs.c 2009-05-19 23:17:49 UTC (rev 22356)
@@ -68,6 +68,8 @@
case ENCTYPE_DES_CBC_CRC:
case ENCTYPE_DES_CBC_MD4:
case ENCTYPE_DES_CBC_MD5:
+ case ENCTYPE_ARCFOUR_HMAC:
+ case ENCTYPE_ARCFOUR_HMAC_EXP:
cksumtype = context->kdc_req_sumtype;
break;
default:
More information about the cvs-krb5
mailing list