Problem with V4 keys in krb5-1.2.5
Mike Friedman
mikef at ack.Berkeley.EDU
Mon Jun 24 11:28:55 EDT 2002
I've been testing krb5-1.2.5 in preparation for an upgrade of my KDC from
1.2.1 and I noticed something interesting.
It seems that I get a preauth failure when I try to get credentials for a
principal whose key was created on our old V4 KDC (several years ago).
(All my principals are set with REQUIRES_PREAUTH).
The key looks like this:
Key: vno xx, DES cbc mode with CRC-32, Version 4
If I change the password (to the same value), thereby generating a set of keys
that looks like this:
Key: vno xx, DES cbc mode with CRC-32, no salt
Key: vno xx, DES cbc mode with RSA-MD5, Version 4
Key: vno xx, DES cbc mode with RSA-MD5, Version 5 - No Realm
Key: vno xx, DES cbc mode with RSA-MD5, Version 5 - Realm Only
Key: vno xx, DES cbc mode with RSA-MD5, AFS version 3
the problem goes away.
(I masked out the vno, so as not to confuse the issue. The second set of
keys is for a different user than the first; I had already changed the
password of the first user and don't have its old key versions available).
My kdc.conf, which I copied from my V1.2.1 KDC (where this problem didn't
occur), contains the following 'supported_enctypes':
des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 des-cbc-crc:v4
I was under the impression that 'des-cbc-crc:normal' and 'des-cbc-crc:v4'
were all that are necessary to support the old keys.
I don't think I have too many principals with old V4 keys, but I'm wondering
if there's anything I can do to fix this in way that is transparent to users.
Thanks.
Mike
------------------------------------------------------------------------------
Mike Friedman System and Network Security
mikef at ack.Berkeley.EDU 2484 Shattuck Avenue
1-510-642-1410 University of California at Berkeley
http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu
------------------------------------------------------------------------------
More information about the Kerberos
mailing list