Mystery AFS/Kerberos packet

Tom Yu tlyu at MIT.EDU
Fri Jan 23 02:39:07 EST 2004


>>>>> "john" == John Hascall <john at iastate.edu> writes:

john> We are running OpenAFS 1.2.11, but not kaserver,
john> we are running MIT Kerberos 1.2.6 (but not on the "afs db servers"),
john> we are using the kaforwarder/fakeka stuff.

john> For most of our users this works fine.  I have one user
john> who can't authenticate his PC.

What OS?  What software is failing?  Are initial tickets obtained?

john> I am seeing the following packets arrive at the afs db server
john> which look like some sort of a K5 request for an afs ticket:

What port are they arriving on?  And on UDP, I presume?  From the
failing client's IP address?  More information would be useful.

john> 6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f6166730000
john>  c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a f s . .

I'm not sure, but the tail bit of it looks like part of a krb4 initial
ticket request by "user" for "afs at IASTATE.EDU", with lifetime 5 hours
15 minutes, around 21 January 2004 (assuming little-endian).

The use of nul bytes after certain string components strongly implies
krb4.  Of course, I'm not sure how a kaserver request would look, so I
could be mistaken.  Any OpenAFS people want to speak up about this?

john> except the first byte (packet type) of 0x63 seems to be unknown.

john> Any ideas what this is?

I have no idea what the preceding stuff is; perhaps it is some
kaserver stuff.  It is almost definitely not krb5.  The leading 0x63
could be for "constructed [APPLICATION 3]" in ASN.1, but having a
length descriptor of "3" makes it unlikely to be real ASN.1, given the
other stuff.  Also, that [APPLICATION 3] tag would make it an
EncTicketPart, which the rest of it does not appear to be, and an
EncTicketPart would have been in encrypted form anyway.

---Tom


More information about the Kerberos mailing list