GSSAPI RFC4121 token support

Derrick Brashear shadow at gmail.com
Mon Dec 6 13:41:31 EST 2010


Hi,

>From a little expedition this morning comparing interoperability with
MIT and Heimdal GSSAPI tools, it seems that
support for new tokens hasn't been applied correctly with respect to RFC 4121.

A Heimdal snapshot from earlier today incorrectly did not treat
des3-cbc-sha1(enctype 7) as a "not newer" enctype,
while Kerberos 1.6 treats des-cbc-md4 (enctype 2) as new and thus
happily passes a valid tok_id 0101 token to be
parsed as a new-style (0404) token... where it fails.

This bug is not present in MIT 1.8.

So, for those having interoperability issues especially between
Heimdal clients and MIT 1.6 servers, you may need
to patch krb5_gss_accept_sec_context on your server.

Fair warning.


-- 
Derrick



More information about the Kerberos mailing list