non-ascii password in kerberos authentication
Xu Qiang
Qiang.Xu at fujixerox.com
Fri Sep 14 05:13:38 EDT 2007
Hi, all:
Our printers are using krb5 developed by MIT as a client for kerberos authentication.
Recently, i found that when a user tried to log into the printer against Windows 2003 Server running kerberos service, it will fail if his/her password contains non-ascii characters. However, it will succeed if only the username contains non-ascii characters.
There are two users with <username>/<password> in ADS as:
1. "stmêé/Fair123"
This can be authenticated.
2. "stm123/êéFair123"
This cannot be authenticated.
Although kerberos cannot authenticate the second one, LDAP can. That shows that kerberos algorithm still has some defects in it.
I looked at the source code, and found the same algorithm is used to convert to latin characters to utf characters, for both username and password. So essentially it should work for password, since username containing non-ascii chars can be passed, right?
I got confused and want to know if any extra work need be done for password having non-ascii chars in it.
TIA,
Xu Qiang
More information about the krbdev
mailing list