wrong checksum type for arcfour-hmac-md5
Nicolas Williams
Nicolas.Williams at oracle.com
Wed Sep 15 15:48:14 EDT 2010
On Wed, Sep 15, 2010 at 03:07:43PM -0400, Greg Hudson wrote:
> Since the authenticator checksum doesn't need to be keyed, I don't
> object in principal to messing with that specific choice for
> interoperability. I'd prefer a better understanding of the reasons why,
> though; the bug presented so far only seems to affect malformed GSSAPI
> token authenticators, and is as easy to fix in Samba as it is in MIT
> krb5.
And which is easier to patch? I'm not sure. Typically I think of
servers as easier to patch than clients -- there's usually many more of
the latter than the former. But here it may well matter for the MIT
client side to interop with currently deployed Samba servers, for
various reasons.
More information about the krbdev
mailing list