non-ascii password in kerberos authentication

Xu Qiang Qiang.Xu at
Mon Sep 17 01:42:52 EDT 2007

> -----Original Message-----
> From: Ken Raeburn [mailto:raeburn at MIT.EDU]
> Sent: Monday, September 17, 2007 12:12 PM
> To: Xu Qiang
> Cc: Paul Moore; krbdev at
> Subject: Re: non-ascii password in kerberos authentication
> I can think of some workarounds, none especially pretty.
> * If you can be sure that RC4 is being used, convert to UCS-2LE
> before calling into the library in the first place.

Yeah, I like this idea. At least i can test whether RC4 encoding of 
the password works or not. The problem is, is there an existing 
implementation of conversion from ISO-8859-1 to UCS-2LE, or 
directly, from UTF-8 to UCS-2LE in C code? I only have a function 
specifically for conversion from ISO-8859-1 to UTF-8. Looks like
it cannot be used directly to convert to UCS-2LE.

> * Modify the MIT code you're using to be aware that you're always
> passing in UTF-8, and in the RC4 string-to-key code, always convert
> to UCS-2LE.  Because of the transition issues and possible existing
> deployments using other approaches, I'm not sure if we would be able
> to incorporate a patch for this, but we can discuss it.  I think it
> would get the job done for you, though.

This sounds great, but maybe need time. We can wait for the patch. 
At the same time, I want to get a quick solution using direct conversion 
to UCS-2LE.

> * Modify the MIT code at a slightly higher level, to first try the
> password as passed in, and if it fails (and, maybe, if RC4 is the
> encryption type), run it through a UTF-8-to-UCS-2LE conversion and
> try again if the conversion works.  With preauth, this has the same
> bad-password problem as described above.

A quick search in Google seems to reveal that a direct conversion 
from UTF-8 to UCS-2LE is not supported yet. Is it?

Thanks for your suggestions, 
Xu Qiang

More information about the krbdev mailing list