Decrypting KRB_CRED in AP_REQ
Weijun Wang
weijun.wang at oracle.com
Thu Mar 31 21:38:34 EDT 2011
On 03/31/2011 10:52 PM, Greg Hudson wrote:
> On Thu, 2011-03-31 at 00:17 -0400, Weijun Wang wrote:
>> Here, it seems the decrypt key should be the session key of the service
>> ticket. What shall I do if the authenticator has a subkey?
>
> You should still use the session key of the service ticket.
>
> Heimdal and MIT krb5 both attempt to decrypt with the session key and
> subkey. But Microsoft Kerberos only decrypts with the session key. We
> found this out the hard way when we accidentally started encrypting
> GSSAPI forwarded creds with the subkey in 1.8.
So, the following paragraph on
http://packages.qa.debian.org/k/krb5/news/20100411T160238Z.html is about
this issue?
* Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
Kerberos and Microsoft Kerberos; resolve this incompatibility. As a
result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
produce undesirable results for constrained delegation. Again,
another reason to replace 1.8 with 1.8.1 as soon as possible.
I cannot find a bug id related. Is the old behavior back in 1.8.1?
Thanks
Max
>
>> So, does the case in RFC 4121 4.1.1 I quoted above belongs to "this
>> specific application session"?
>
> I would not say that GSSAPI forwarded creds belong to the application
> session, no. At any rate, the more specific statement in RFC 4121 takes
> precedence.
>
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
More information about the krbdev
mailing list