another similar enctype issue
Will Fiveash
William.Fiveash at sun.com
Wed Sep 28 17:03:42 EDT 2005
On Tue, Sep 27, 2005 at 12:55:58PM -0500, Will Fiveash wrote:
> I recently noticed that:
>
> kinit willf
>
> will fail if krb5.conf has default_tkt_enctypes = des-cbc-crc and the
> willf princ DB entry has:
>
> Number of keys: 5
> Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
> Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
> Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
> Key: vno 1, ArcFour with HMAC/md5, no salt
> Key: vno 1, DES cbc mode with RSA-MD5, no salt
> ^^^^^^^^^^^^^^^^^^^^^^^^^^
> Attributes: REQUIRES_PRE_AUTH
>
> (notice the DES cbc mode with RSA-MD5 aka des-cbc-md5 key)
> I think the kinit fail is due to code in krb5_do_preauth() that does:
>
> /*
> * Select first etype in our request which is also in
> * etype-info (preferring client request ktype order).
> */
> for (etype_found = 0, valid_etype_found = 0, k = 0;
> !etype_found && k < request->nktypes; k++) {
> for (l = 0; etype_info[l]; l++) {
> if (etype_info[l]->etype == request->ktype[k]) {
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ exact match
> etype_found++;
> break;
> }
>
> The problem is this code doesn't deal with the concept of des-cbc-crc
> and des-cbc-md5 similarity as is done in other parts of mech_krb5.
> Am I correct in my thinking here?
Note, if I modify the above code like so:
!etype_found && k < request->nktypes; k++) {
for (l = 0; etype_info[l]; l++) {
- if (etype_info[l]->etype == request->ktype[k]) {
+ ret = krb5_c_enctype_compare(context,
+ etype_info[l]->etype, request->ktype[k],
+ &similar);
+ if (ret != 0)
+ continue;
+ if (similar) {
etype_found++;
break;
then kinit works if krb5.conf has default_tkt_enctypes = des-cbc-crc.
--
Will Fiveash
Sun Microsystems Inc.
Austin, TX, USA (TZ=CST6CDT)
More information about the krbdev
mailing list