Kerberos packets appear to be larger

Jeremy Hunt jeremyh at optimation.com.au
Wed Aug 7 19:26:12 EDT 2013


Greg Hudson wrote:
> On 08/07/2013 11:45 AM, Jeremy Hunt wrote:
>> It appears that the size
>> of this AS_REP packet has grown from 1200 bytes to 1572 bytes, which is
>> a fairly hefty increase.
> In my test environment with a des3-hmac-sha1 long-term user key, I get
> an AS-REP size of 250 bytes for a preauth-required error, and 714 bytes
> for an issued TGT.  The values in my 1.8 test environment aren't much
> different (237 and 724 bytes) .  So I'm not sure why your AS-REPs are so
> much larger to start with, and why they would have gone up by so much.
>
> If you could use Wireshark or a similar tool to decode the reply,
> especially if you could configure it to decrypt the ticket encrypted
> part, perhaps we can tell why the replies are so large and what can be
> done about it.
>
Sorry, I converted a hex dump to bytes, ... and please note I wrote the 
last email at 2 am my time. Stupidly I made a mistake, the sizes are out 
by a factor of two.

But still the replies have gone from 600 bytes to 786 bytes. The maximum 
size the application can take is 666 bytes.

I can do a snoop (it is a built MIT Kerberos on Solaris) and look at the 
dump in wireshark, but I think you are alarmed by my report of double 
sized packets Greg. Sorry to alarm you, do you still want a dump?

Really my question is can I configure Kerberos 1.11 to do legacy sized 
packets. Failing an exact answer, what parameters in the krb5.conf or 
the kdc.conf affect the size of the AS-REP. I listed the ones I modified 
in my earlier email and none of them seemed to have an effect.

I note that the sizes Greg quotes are still too large for my legacy 
application. I also notice that the sizes of the packets have gone up by 
a factor of 3. Has the protocol changed that much in 3 revisions ? But 
this is a more general question, I really want my practical question of 
what settings, if any, in the configuration files can reduce or affect 
the size of the AS-REP packets.

Thanks for the prompt replies.

Jeremy


More information about the Kerberos mailing list