Enctype Negotiation Problem
jhutz at cmu.edu
Wed Oct 11 18:51:44 EDT 2006
On Wednesday, October 11, 2006 06:16:33 PM -0400 Marcus Watts
<mdw at umich.edu> wrote:
> In the MIT kerberos source, there's a pair of routines
> select_session_keytype and dbentry_supports_enctype that are probably
> making this decision for you. Here's the comment in
> * If it's DES_CBC_MD5, there's a bit in the attribute mask which
> * checks to see if we support it. For now, treat it as always
> * clear.
> * In theory everything's supposed to support DES_CBC_MD5, but
> * that's not the reality....
> Unfortunately, that's followed immediately by
> if (enctype == ENCTYPE_DES_CBC_MD5) return 0;
> which should have the effect "never use des-cbc-md5".
> Presumably the "bit in the attribute mask" never got implemented.
> The bit itself appears to be defined -- looks like it's called
> KRB5_KDB_SUPPORT_DESMD5 (0x4000) or "support_desmd5".
Except the issue here is he's getting a DES_CBC_MD4 session key when he
wants DES_CBC_CRC. The "why" is likely in the code you're quoting -
DES_CBC_MD4 is a "better" enctype, and both sides appear to support it
(since the single-des types are interchangeable).
I'd be curious to know how the resulting ticket is not "useful"; that is,
what application is being used and what error results when attempting to
use that ticket.
More information about the Kerberos