non-ascii password in kerberos authentication
Xu Qiang
Qiang.Xu at fujixerox.com
Mon Sep 17 01:42:52 EDT 2007
> -----Original Message-----
> From: Ken Raeburn [mailto:raeburn at MIT.EDU]
> Sent: Monday, September 17, 2007 12:12 PM
> To: Xu Qiang
> Cc: Paul Moore; krbdev at mit.edu
> Subject: Re: non-ascii password in kerberos authentication
>
>
> I can think of some workarounds, none especially pretty.
>
> * If you can be sure that RC4 is being used, convert to UCS-2LE
> before calling into the library in the first place.
Yeah, I like this idea. At least i can test whether RC4 encoding of
the password works or not. The problem is, is there an existing
implementation of conversion from ISO-8859-1 to UCS-2LE, or
directly, from UTF-8 to UCS-2LE in C code? I only have a function
specifically for conversion from ISO-8859-1 to UTF-8. Looks like
it cannot be used directly to convert to UCS-2LE.
> * Modify the MIT code you're using to be aware that you're always
> passing in UTF-8, and in the RC4 string-to-key code, always convert
> to UCS-2LE. Because of the transition issues and possible existing
> deployments using other approaches, I'm not sure if we would be able
> to incorporate a patch for this, but we can discuss it. I think it
> would get the job done for you, though.
This sounds great, but maybe need time. We can wait for the patch.
At the same time, I want to get a quick solution using direct conversion
to UCS-2LE.
> * Modify the MIT code at a slightly higher level, to first try the
> password as passed in, and if it fails (and, maybe, if RC4 is the
> encryption type), run it through a UTF-8-to-UCS-2LE conversion and
> try again if the conversion works. With preauth, this has the same
> bad-password problem as described above.
A quick search in Google seems to reveal that a direct conversion
from UTF-8 to UCS-2LE is not supported yet. Is it?
Thanks for your suggestions,
Xu Qiang
More information about the krbdev
mailing list