krb5-1.8 fails to verify MS PAC Checksum when AES 256 is used causing sshd to fail
Luke Howard
lukeh at padl.com
Fri Jul 2 17:35:51 EDT 2010
On 02/07/2010, at 4:44 PM, Douglas E. Engert wrote:
>
>
> On 7/1/2010 4:35 PM, Luke Howard wrote:
>>> With msDS-SupportedEncryptionTypes = 16 (AES256) The first verify fails
>>> as expected, and the keytab is searched, and each key is tried. But
>>> the RC4 key (23) gets a KRB5KRB_AP_ERR_BAD_INTEGRITY as the compare
>>> of the computed and supplied checksums don't match.
>>
>> Perhaps they're rc4-hmac with the AES key. (This really wouldn't surprise me. Ironically it might make the code path simpler.)
>>
>
> I was thinking along the same lines last night. I tried you second patch, and that did not work
> getting these messages:
> GSS-API error accepting context: Unspecified GSS failure. Minor code may provide more information
> GSS-API error accepting context: Key size is incompatible with encryption type
OK, so we need both patches?
> The CKSUMTYPE_MD5_HMAC_ARCFOUR = -137 may also be misnamed, and the
> same patch might be needed with it as well. I don't know where is is
> used, but since HMAC can use any key <= 64 bytes, it may not need the
> & krb5int_enc_arcfour.
That might be OK, it was just used for NetLogon, not by Kerberos.
-- Luke
More information about the krbdev
mailing list