wrong checksum type for arcfour-hmac-md5

Luke Howard lhoward at MIT.EDU
Wed Sep 15 12:24:18 EDT 2010


That's a lot of deployed samba though. Is it Windows or Heimdal that's  
not accepting the keyed checksum?

Sent from my iPhone

On 15/09/2010, at 18:16, Nicolas Williams  
<Nicolas.Williams at oracle.com> wrote:

> On Wed, Sep 15, 2010 at 12:12:53PM -0400, Greg Hudson wrote:
>>> Why isn't this considered a bug in the server??
>>
>> All we know so far (assuming all of the given information is  
>> correct) is
>> that the server will accept a GSSAPI authenticator with an rsa-md5
>> checksum--which is not valid--but won't accept one with an hmac-md5
>> checksum.
>>
>> That's not a bug in the server; if anything, the server is being  
>> overly
>> permissive by accepting rsa-md5.  It's a bug in the "home-grown  
>> GSSAPI"
>> client that it's not jusing a GSSAPI authenticator checksum.
>
> Fine, then I'd say the bug is in the home-grown initiator.
>
>> If there are other circumstances where the server will accept rsa- 
>> md5 in
>> an authenticator and not hmac-md5, that's worth knowing about.
>>
>>



More information about the krbdev mailing list