GSSAPI issue from Windows clients

Carson Gaspar carson at taltos.org
Wed Feb 16 03:07:43 EST 2011


While tracking down an openssh GSSAPI auth issue, I've fallen into the 
bowels of the KRB5 libraries.

Client is Win 2k3, using x-realm auth from AD to our MIT KDC.

When linking against 1.6.x libs, everything works fine.

When linking against 1.8.x or 1.9, it fails with KRB5_BAD_MSIZE

I backtraced it to krb5int_hmac_keyblock complaining that output->length 
(8) is less than hash->hashsize (16).

This is being called from krb5int_hmacmd5_checksum, where I see 
key->keyblock.enctype is 1 (ENCTYPE_DES_CFB64), key->keyblock.length is 8

This all appear to make sense (DES is a 64-bit key, MD5 output is 128 
bits), but of course fails miserably.

Does anyone have any clues to lend? I see a note in 1.8.3 that some 
things were taking the MS MD5 code path that shouldn't be, but 1.8.3 
claims to fix that, and 1.8.3 fails the same way 1.8.2 does.

-- 
Carson




More information about the Kerberos mailing list