wrong checksum type for arcfour-hmac-md5
Luke Howard
lhoward at MIT.EDU
Wed Sep 15 12:15:55 EDT 2010
The trace simo attached showed unkeyed checksum in a tgs req, IIRC
Sent from my iPhone
On 15/09/2010, at 18:12, Greg Hudson <ghudson at MIT.EDU> wrote:
>> Why isn't this considered a bug in the server??
>
> All we know so far (assuming all of the given information is
> correct) is
> that the server will accept a GSSAPI authenticator with an rsa-md5
> checksum--which is not valid--but won't accept one with an hmac-md5
> checksum.
>
> That's not a bug in the server; if anything, the server is being
> overly
> permissive by accepting rsa-md5. It's a bug in the "home-grown
> GSSAPI"
> client that it's not jusing a GSSAPI authenticator checksum.
>
> If there are other circumstances where the server will accept rsa-
> md5 in
> an authenticator and not hmac-md5, that's worth knowing about.
>
>
More information about the krbdev
mailing list