krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used causing sshd to fail
Douglas E. Engert
deengert at anl.gov
Thu Jul 1 09:38:29 EDT 2010
On 7/1/2010 6:25 AM, Luke Howard wrote
> Does it fail with KRB5_BAD_ENCTYPE? We can change krb5_rd_req_decoded_opt() to try all the keys in the keytab if krb5int_authdata_verify() fails with the key that decrypted the ticket.
>
Yes, it fails in the inlined verify_key function in chsumtypes.h:
133 ktp = key ? find_enctype(key->keyblock.enctype) : NULL;
134 if (ctp->enc != NULL && (!ktp || ktp->enc != ctp->enc))
135 return KRB5_BAD_ENCTYPE;
called from krb5_c_verify_checksum
k5_pac_verify_server_checksum
krb5_pac_verify
mspac_verify
krb5int_authdata_verify
(Thats all the stack I saved. I can run gdb again if needed.)
> -- Luke
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list