Problems parsing old krbPrincipalKey attributes from LDAP backend

Greg Hudson ghudson at MIT.EDU
Tue May 20 11:01:35 EDT 2014

On 05/20/2014 09:56 AM, Frank Steinberg wrote:
> Did this krbPrincipalKey type change?

Not intentionally.  We did do some work on ASN.1 decoding in 1.11, and
it's possible that the LDAP key sequence decoder unintentionally
became more strict.  But looking at the 1.10 and current code, I don't
see any obvious differences in strictness.

We can narrow down the problem in one of two ways:

* You could send me a hex dump of a key sequence which decodes in 1.10
but not in 1.12.  Obviously this information would contain someone's
long-term keys, so you'd want to make sure the password had been
changed and that the old password won't be reused.

* With the debugger in omit_atype where it generates the fail, you
could extract some information as described in the last section of
src/lib/krb5/asn.1/README.asn1.  In particular, for each stack frame
in the function decode_sequence, I need the value of the varibale "i".

More information about the Kerberos mailing list