gss_wrap/gss_unwrap issues between Heimdal and MIT
Russ Allbery
rra at stanford.edu
Fri Dec 23 01:04:45 EST 2005
Hello all,
I maintain a server/client package for simple remote command execution
with specific ACLs using GSSAPI authentication. (Kind of like rsh crossed
with sudo, but very simple.) I developed it with MIT Kerberos and today
tried to port it to Heimdal.
After correcting for the standard Heimdal vs. MIT differences (include
header names, library names, GSS_NT_USER_NAME, GSS_KRB5_MECHANISM but no
string to OID parsing routines), the source now builds, but when I try to
connect with a Heimdal client to an MIT server, it fails. Establishment
of a context succeeds, but when the server attempts to gss_unwrap a token
that the client created with gss_wrap, it fails with GSS_S_DEFECTIVE_TOKEN
(I think; the GSSAPI displayed error is "A token was invalid").
First, does anyone know about incompatibilities between Heimdal and MIT in
this area? I tried both Heimdal 0.6 and Heimdal 0.7 against MIT 1.4.3.
The keys used are DES (no, not 3DES; yes, I know, we're fixing it).
Second, I'd love it if someone who knows Heimdal could take a look, as I'm
sort of poking in the dark. You can download the source from:
<http://www.eyrie.org/~eagle/software/remctl/>
and the current release has the porting work to get it to compile at
least. I may just be doing something stupid incorrectly.
Thanks for any help!
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list