Suitable Kerberos Server for Packet cable ??

ronnie sahlberg ronniesahlberg at gmail.com
Thu Jan 15 03:32:53 EST 2009


I think there is a company called Blue-Cable or something that does
these things.


I doubt that either a MIT or  Heimdal (or any rfc1510) server will
work since packet-cable uses a non-1510 implementation of kerberos 5.
Its very similar but there are subtle differences.
They use either a pre-1510 draft or a forked different standard, dont
know which, suspect the first.

>From experience implementing both packetcable and also 1510 in
wireshark we got around this by changing the ASN to make some
structure fields OPTIONAL which were OPTIONAL in packet-cable but were
mandatory in the official 1510.

The changes I had to make was rather smallish and I did put a comment
in packet-kerberos.c in wireshark to indicate these non-1510 changes.
This was possible since we only unmarshall packets and never marshall
them and thus sprinkling the ASN with extra OPTIONAL is harmless.

There might be additional changes required  if you also need to
marshall data. Dont know. You take lots of shortcuts when you only
unmarshall data.


I think I recall also other differences (not ASN changes) that related
to things like preauthentication types/blobs, enctypes, salt blobs
etc etc.
(Some which actually surprised me when they were resurrected in
microsoft ad krb5   with the same numbers and the same meaning
sometime around when w2k3 was released).


Was a long time ago I did packetcable for wireshark so my memory is hazy...
There was at some point a post on the wireshark mailinglist (long
after i implemented the packetcable changes in ws) that linked to a
full set of official specification for packetcable and in particular
their krb5 implementation.
This was in the days when wireshark was called ethereal.


regards
ronnie sahlberg


On Thu, Jan 15, 2009 at 7:08 PM, Aleem AKHTAR <aleem.akhtar at st.com> wrote:
>
> Hi,
>
> Could I get information which kerberos server is best suited for Packet cable project specification. Is there any limitation if we use open source krb5 server published by MIT ??
>In wireshark the incompatibility issue between 1510 and packetcable is minor since we only ever unmarshall packets and never mashall them.
>
> Thanks,
> Aleem
>
>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>



More information about the Kerberos mailing list