gss_wrap/gss_unwrap issues between Heimdal and MIT

Russ Allbery rra at stanford.edu
Fri Dec 23 01:04:45 EST 2005


Hello all,

I maintain a server/client package for simple remote command execution
with specific ACLs using GSSAPI authentication.  (Kind of like rsh crossed
with sudo, but very simple.)  I developed it with MIT Kerberos and today
tried to port it to Heimdal.

After correcting for the standard Heimdal vs. MIT differences (include
header names, library names, GSS_NT_USER_NAME, GSS_KRB5_MECHANISM but no
string to OID parsing routines), the source now builds, but when I try to
connect with a Heimdal client to an MIT server, it fails.  Establishment
of a context succeeds, but when the server attempts to gss_unwrap a token
that the client created with gss_wrap, it fails with GSS_S_DEFECTIVE_TOKEN
(I think; the GSSAPI displayed error is "A token was invalid").

First, does anyone know about incompatibilities between Heimdal and MIT in
this area?  I tried both Heimdal 0.6 and Heimdal 0.7 against MIT 1.4.3.
The keys used are DES (no, not 3DES; yes, I know, we're fixing it).

Second, I'd love it if someone who knows Heimdal could take a look, as I'm
sort of poking in the dark.  You can download the source from:

    <http://www.eyrie.org/~eagle/software/remctl/>

and the current release has the porting work to get it to compile at
least.  I may just be doing something stupid incorrectly.

Thanks for any help!

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list