Windows pkinit - failed to decode dhparams

Reinhard Kugler rekuread at gmail.com
Sat Mar 23 03:54:39 EDT 2013


> I think we've seen this before; sometimes Windows omits the required
> "q" value in the Diffie-Hellman parameters (even though it can be
> trivially computed for certain well-known groups).

sounds familiar. During our tests we spotted this behavior in
pkinit_decode_dh_params
(plugins/preauth/pkinit/pkinit_crypto_openssl.c).
But we lack of understanding in order to fix it.

> for more details.  I don't remember if anyone filed a bug about this,
> but we would consider implementing a workaround if there is interest.

There definitely is interest. We are keen to implement Kerberos with
smartcards in our network, because it pretty fits the needs.
Your support in this issue would be great!

best regards

Reinhard


More information about the Kerberos mailing list