Mystery AFS/Kerberos packet
Tom Yu
tlyu at MIT.EDU
Fri Jan 23 02:39:07 EST 2004
>>>>> "john" == John Hascall <john at iastate.edu> writes:
john> We are running OpenAFS 1.2.11, but not kaserver,
john> we are running MIT Kerberos 1.2.6 (but not on the "afs db servers"),
john> we are using the kaforwarder/fakeka stuff.
john> For most of our users this works fine. I have one user
john> who can't authenticate his PC.
What OS? What software is failing? Are initial tickets obtained?
john> I am seeing the following packets arrive at the afs db server
john> which look like some sort of a K5 request for an afs ticket:
What port are they arriving on? And on UDP, I presume? From the
failing client's IP address? More information would be useful.
john> 6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f6166730000
john> c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a f s . .
I'm not sure, but the tail bit of it looks like part of a krb4 initial
ticket request by "user" for "afs at IASTATE.EDU", with lifetime 5 hours
15 minutes, around 21 January 2004 (assuming little-endian).
The use of nul bytes after certain string components strongly implies
krb4. Of course, I'm not sure how a kaserver request would look, so I
could be mistaken. Any OpenAFS people want to speak up about this?
john> except the first byte (packet type) of 0x63 seems to be unknown.
john> Any ideas what this is?
I have no idea what the preceding stuff is; perhaps it is some
kaserver stuff. It is almost definitely not krb5. The leading 0x63
could be for "constructed [APPLICATION 3]" in ASN.1, but having a
length descriptor of "3" makes it unlikely to be real ASN.1, given the
other stuff. Also, that [APPLICATION 3] tag would make it an
EncTicketPart, which the rest of it does not appear to be, and an
EncTicketPart would have been in encrypted form anyway.
---Tom
More information about the Kerberos
mailing list