krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used causing sshd to fail

Douglas E. Engert deengert at
Thu Jul 1 09:38:29 EDT 2010

On 7/1/2010 6:25 AM, Luke Howard wrote
> Does it fail with KRB5_BAD_ENCTYPE? We can change krb5_rd_req_decoded_opt() to try all the keys in the keytab if krb5int_authdata_verify() fails with the key that decrypted the ticket.

Yes, it fails in the inlined verify_key function in chsumtypes.h:

     133      ktp = key ? find_enctype(key->keyblock.enctype) : NULL;
     134      if (ctp->enc != NULL && (!ktp || ktp->enc != ctp->enc))
     135          return KRB5_BAD_ENCTYPE;

called from  krb5_c_verify_checksum

(Thats all the stack I saved. I can run gdb again if needed.)

> -- Luke


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list