krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used causing sshd to fail

Luke Howard lukeh at
Thu Jul 1 17:35:48 EDT 2010

> With  msDS-SupportedEncryptionTypes = 16 (AES256) The first verify fails
> as expected, and the keytab is searched, and each key is tried. But
> the RC4 key (23) gets a KRB5KRB_AP_ERR_BAD_INTEGRITY as the compare
> of the computed and supplied checksums don't match.

Perhaps they're rc4-hmac with the AES key. (This really wouldn't surprise me. Ironically it might make the code path simpler.)

-- Luke

More information about the krbdev mailing list