Kerberos packets appear to be larger

[Jeremy Hunt]

Benjamin Kaduk wrote:
> On Fri, 9 Aug 2013, Jeremy Hunt wrote:
>
>> What I found was that changing the password with kpasswd or kadmin cpw
>> or adding a new principal generally changed the size of the AP-REP
>> packet for different values of these checksum variables. I changed both
>> checksum variables to the same value in my testing. However I found
>> using kdb_util dump then load reset the size of the AP-REQ packet to the
>> 786 value I originally reported. Probably kdb_util doesn't look at these
>> configuration settings at all.
> I am not sure I understand the specifics of the dump+load procedure
> involved.  Was the dump performed before or after the password change
> operation?
>
> -Ben Kaduk
> ________________________________________________
>
Hi Ben,

Sorry for the late reply. I have been working to a deadline on other 
things and only just noticed this email.

1. If you change the checksum variable values, it will affect the size 
of kerberos AP-REQ packets. But only after the password has been 
changed. Thereafter, any AP-REQ issued for that principal will be the 
new size. Unchamged principals will have the AP-REQ packets sized a they 
were before the configuration changes.

2. So consider you have a kerberos database with a mix of passwords that 
have been changed, either through the principal being added anew, or by 
a password change, and passwords that have not been changed. In this 
case, the size of the AP-REQ packet varies depending on when the 
password was changed or created.

3. Now consider the case that you dump the database to a flat file, then 
reload the flat file into the database destructively. That is you reload 
each principal and password anew. In this case, all the AP-REQ packets 
will be the same size. Alas, they appear to be the larger size that 
causes the problem for me.

I hope this answers your questions about the size of AP-REQ packets..

Jeremy