wrong checksum type for arcfour-hmac-md5
Luke Howard
lhoward at MIT.EDU
Wed Sep 15 10:35:22 EDT 2010
On 15/09/2010, at 4:21 PM, Stefan (metze) Metzmacher wrote:
> Hi Luke,
>
> I found that MIT kerberos uses the wrong (not the same as windows and
> heimdal)
> checksum for arcfour-hmac-md5.
I would be cautious about changing the default checksum type for rc4-hmac in etypes.c. RFC 4757 is pretty clear that the mandatory checksum type is CKSUMTYPE_HMAC_MD5_ARCFOUR.
Can you point me to where in the GSS-API RFCs and/or Windows protocol documents it specifies *not* sending a 0x8003 as part of the AP-REQ in a Kerberos InitialContextToken? I don't believe Windows clients ever do this? Samba is taking advantage of the fact that Windows servers are liberal acceptors but this isn't specified anywhere to my knowledge (OK, I haven't looked).
I would suggest instead your self-made GSSAPI use krb5_auth_con_set_req_cksumtype() to force the checksum type you want.
-- Luke
More information about the krbdev
mailing list