GSSAPI issue from Windows clients
Carson Gaspar
carson at taltos.org
Wed Feb 16 03:07:43 EST 2011
While tracking down an openssh GSSAPI auth issue, I've fallen into the
bowels of the KRB5 libraries.
Client is Win 2k3, using x-realm auth from AD to our MIT KDC.
When linking against 1.6.x libs, everything works fine.
When linking against 1.8.x or 1.9, it fails with KRB5_BAD_MSIZE
I backtraced it to krb5int_hmac_keyblock complaining that output->length
(8) is less than hash->hashsize (16).
This is being called from krb5int_hmacmd5_checksum, where I see
key->keyblock.enctype is 1 (ENCTYPE_DES_CFB64), key->keyblock.length is 8
This all appear to make sense (DES is a 64-bit key, MD5 output is 128
bits), but of course fails miserably.
Does anyone have any clues to lend? I see a note in 1.8.3 that some
things were taking the MS MD5 code path that shouldn't be, but 1.8.3
claims to fix that, and 1.8.3 fails the same way 1.8.2 does.
--
Carson
More information about the Kerberos
mailing list