[krbdev.mit.edu #6490] SVN Commit
Tom Yu via RT
rt-comment at krbdev.mit.edu
Sun May 24 18:51:00 EDT 2009
pull up 22355, 22356, 22357 from trunk
------------------------------------------------------------------------
r22357 | ghudson | 2009-05-20 04:05:53 +0200 (Wed, 20 May 2009) | 6 lines
ticket: 6490
Restore compatibility with KDCs using key usage 8 to encrypt TGS
replies in a subkey, by implementing a fallback in
krb5_arcfour_decrypt.
------------------------------------------------------------------------
r22356 | ghudson | 2009-05-20 01:17:49 +0200 (Wed, 20 May 2009) | 13 lines
ticket: 6490
status: open
tags: pullup
When using keyed checksum types with TGS subkeys, Microsoft AD 2003
verifies the checksum using the subkey, whereas MIT and Heimdal verify
it using the TGS session key. (RFC 4120 is actually silent on which
is correct; RFC 4757 specifies the TGS session key.) To sidestep this
interop issue, don't use keyed checksum types with RC4 keys without
explicit configuration in krb5.conf. Using keyed checksum types with
AES is fine since, experimentally, AD 2008 accepts checksums keyed
with the TGS session key.
------------------------------------------------------------------------
r22355 | hartmans | 2009-05-19 01:28:53 +0200 (Tue, 19 May 2009) | 5 lines
ticket: 6490
status: open
In practice, key usage 9 requires no translation.
http://src.mit.edu/fisheye/changelog/krb5/?cs=22374
Commit By: tlyu
Revision: 22374
Changed Files:
U branches/krb5-1-7/src/lib/crypto/arcfour/arcfour.c
U branches/krb5-1-7/src/lib/crypto/t_encrypt.c
U branches/krb5-1-7/src/lib/krb5/krb/send_tgs.c
More information about the krb5-bugs
mailing list