Kerberos packets appear to be larger
Jeremy Hunt
jeremyh at optimation.com.au
Wed Aug 7 19:26:12 EDT 2013
Greg Hudson wrote:
> On 08/07/2013 11:45 AM, Jeremy Hunt wrote:
>> It appears that the size
>> of this AS_REP packet has grown from 1200 bytes to 1572 bytes, which is
>> a fairly hefty increase.
> In my test environment with a des3-hmac-sha1 long-term user key, I get
> an AS-REP size of 250 bytes for a preauth-required error, and 714 bytes
> for an issued TGT. The values in my 1.8 test environment aren't much
> different (237 and 724 bytes) . So I'm not sure why your AS-REPs are so
> much larger to start with, and why they would have gone up by so much.
>
> If you could use Wireshark or a similar tool to decode the reply,
> especially if you could configure it to decrypt the ticket encrypted
> part, perhaps we can tell why the replies are so large and what can be
> done about it.
>
Sorry, I converted a hex dump to bytes, ... and please note I wrote the
last email at 2 am my time. Stupidly I made a mistake, the sizes are out
by a factor of two.
But still the replies have gone from 600 bytes to 786 bytes. The maximum
size the application can take is 666 bytes.
I can do a snoop (it is a built MIT Kerberos on Solaris) and look at the
dump in wireshark, but I think you are alarmed by my report of double
sized packets Greg. Sorry to alarm you, do you still want a dump?
Really my question is can I configure Kerberos 1.11 to do legacy sized
packets. Failing an exact answer, what parameters in the krb5.conf or
the kdc.conf affect the size of the AS-REP. I listed the ones I modified
in my earlier email and none of them seemed to have an effect.
I note that the sizes Greg quotes are still too large for my legacy
application. I also notice that the sizes of the packets have gone up by
a factor of 3. Has the protocol changed that much in 3 revisions ? But
this is a more general question, I really want my practical question of
what settings, if any, in the configuration files can reduce or affect
the size of the AS-REP packets.
Thanks for the prompt replies.
Jeremy
More information about the Kerberos
mailing list