bug report: S4U2Self Solaris-10 -> Windows-2003 fails with CKSUMTYPE_RSA_MD5_DES(8) checksum

Luke Howard lukeh at padl.com
Thu May 12 20:31:32 EDT 2011


I guess we could special case this for DES enctypes but as that checksum is unkeyed, it's not really desirable to use in the general case. Otherwise an attacker can change the impersonated principal name.

-- Luke

On 13/05/2011, at 2:07 AM, Richard Silverman wrote:

> Hello,
> 
> configuration
> -------------
>  client: MIT Kerberos 1.9.1 on Solaris-10
>     KDC: Windows 2003 domain controller
> 
> 
> Using the supplied t_s4u.c test program, S4U2Self fails with
> KRB5KRB_AP_ERR_MODIFIED (41).  The TGS_REQ uses a checksum of type
> CKSUMTYPE_RSA_MD5_DES(8) in the PA-S4U2SELF(129) field.  However, if I
> apply this patch to force CKSUMTYPE_CRC32(1) instead:
> 
> --------------------------------------------------------------------------------
> --- src/lib/krb5/krb/s4u_creds.c.orig   2010-04-22 23:29:40.000000000 +0000
> +++ src/lib/krb5/krb/s4u_creds.c        2011-05-12 23:55:48.504446000 +0000
> @@ -181,7 +181,7 @@
>         return code;
>     }
> 
> -    code = krb5_c_make_checksum(context, cksumtype, key,
> +    code = krb5_c_make_checksum(context, CKSUMTYPE_CRC32, key,
>                                 KRB5_KEYUSAGE_APP_DATA_CKSUM, &data,
>                                 cksum);
> --------------------------------------------------------------------------------
> 
> ... then the S4U2Self request succeeds.  I thought to do this because I
> already had it working with Heimdal, and it uses the CRC checksum.
> 
> I have attached network traces of the failing and working transactions.
> The principal impersonator/dportal at DESHAW.COM is authorized on the Windows
> KDC for constrained delegation with protocol transition; this transaction
> asks for a S4U2Self ticket issued to res at DESHAW.COM for
> impersonator/dportal at DESHAW.COM.
> 
> Thanks,
> 
> - Richard Silverman
>  res at qoxp.net________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos





More information about the Kerberos mailing list