non-ascii password in kerberos authentication
paul.moore at centrify.com
Fri Sep 14 17:13:38 EDT 2007
DES or HMAC?
DES does not define the password behaviour for non-ascii, MSFT has implemented in such a way that it is basically impossible to interop with (they translate the the unicode to an OEM 8 bit char set, but which one they use depends on the the language pack in use on the DC - which you cannot discover remotely)
HMAC does define the non-ascii behaviour so it should be OK (in my experience)
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of Xu Qiang
Sent: Friday, September 14, 2007 2:14 AM
To: krbdev at mit.edu
Subject: non-ascii password in kerberos authentication
Our printers are using krb5 developed by MIT as a client for kerberos authentication.
Recently, i found that when a user tried to log into the printer against Windows 2003 Server running kerberos service, it will fail if his/her password contains non-ascii characters. However, it will succeed if only the username contains non-ascii characters.
There are two users with <username>/<password> in ADS as:
This can be authenticated.
This cannot be authenticated.
Although kerberos cannot authenticate the second one, LDAP can. That shows that kerberos algorithm still has some defects in it.
I looked at the source code, and found the same algorithm is used to convert to latin characters to utf characters, for both username and password. So essentially it should work for password, since username containing non-ascii chars can be passed, right?
I got confused and want to know if any extra work need be done for password having non-ascii chars in it.
krbdev mailing list krbdev at mit.edu
More information about the krbdev