Enctype Negotiation Problem

Jeffrey Hutzelman jhutz at cmu.edu
Wed Oct 11 18:51:44 EDT 2006

On Wednesday, October 11, 2006 06:16:33 PM -0400 Marcus Watts 
<mdw at umich.edu> wrote:

> In the MIT kerberos source, there's a pair of routines
> select_session_keytype and dbentry_supports_enctype that are probably
> making this decision for you. Here's the comment in
> dbentry_supports_enctype:
>     /*
>      * If it's DES_CBC_MD5, there's a bit in the attribute mask which
>      * checks to see if we support it.  For now, treat it as always
>      * clear.
>      *
>      * In theory everything's supposed to support DES_CBC_MD5, but
>      * that's not the reality....
>      */
> Unfortunately, that's followed immediately by
> 	if (enctype == ENCTYPE_DES_CBC_MD5) return 0;
> which should have the effect "never use des-cbc-md5".
> Presumably the "bit in the attribute mask" never got implemented.
> The bit itself appears to be defined -- looks like it's called
> KRB5_KDB_SUPPORT_DESMD5 (0x4000) or "support_desmd5".

Except the issue here is he's getting a DES_CBC_MD4 session key when he 
wants DES_CBC_CRC.  The "why" is likely in the code you're quoting - 
DES_CBC_MD4 is a "better" enctype, and both sides appear to support it 
(since the single-des types are interchangeable).

I'd be curious to know how the resulting ticket is not "useful"; that is, 
what application is being used and what error results when attempting to 
use that ticket.

-- Jeff

More information about the Kerberos mailing list