another similar enctype issue

Will Fiveash William.Fiveash at
Tue Sep 27 13:55:58 EDT 2005

I recently noticed that:

kinit willf

will fail if krb5.conf has default_tkt_enctypes = des-cbc-crc and the
willf princ DB entry has:

Number of keys: 5
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt

(notice the DES cbc mode with RSA-MD5 aka des-cbc-md5 key)
I think the kinit fail is due to code in krb5_do_preauth() that does:

         * Select first etype in our request which is also in
         * etype-info (preferring client request ktype order).
        for (etype_found = 0, valid_etype_found = 0, k = 0;
                !etype_found && k < request->nktypes; k++) {
            for (l = 0; etype_info[l]; l++) {
            if (etype_info[l]->etype == request->ktype[k]) {
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ exact match

The problem is this code doesn't deal with the concept of des-cbc-crc
and des-cbc-md5 similarity as is done in other parts of mech_krb5.
Am I correct in my thinking here?

Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)

More information about the krbdev mailing list