another similar enctype issue
Will Fiveash
William.Fiveash at sun.com
Tue Sep 27 13:55:58 EDT 2005
I recently noticed that:
kinit willf
will fail if krb5.conf has default_tkt_enctypes = des-cbc-crc and the
willf princ DB entry has:
Number of keys: 5
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
^^^^^^^^^^^^^^^^^^^^^^^^^^
Attributes: REQUIRES_PRE_AUTH
(notice the DES cbc mode with RSA-MD5 aka des-cbc-md5 key)
I think the kinit fail is due to code in krb5_do_preauth() that does:
/*
* Select first etype in our request which is also in
* etype-info (preferring client request ktype order).
*/
for (etype_found = 0, valid_etype_found = 0, k = 0;
!etype_found && k < request->nktypes; k++) {
for (l = 0; etype_info[l]; l++) {
if (etype_info[l]->etype == request->ktype[k]) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ exact match
etype_found++;
break;
}
The problem is this code doesn't deal with the concept of des-cbc-crc
and des-cbc-md5 similarity as is done in other parts of mech_krb5.
Am I correct in my thinking here?
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list