Decrypting KRB_CRED in AP_REQ

Weijun Wang weijun.wang at oracle.com
Thu Mar 31 21:38:34 EDT 2011



On 03/31/2011 10:52 PM, Greg Hudson wrote:
> On Thu, 2011-03-31 at 00:17 -0400, Weijun Wang wrote:
>> Here, it seems the decrypt key should be the session key of the service
>> ticket. What shall I do if the authenticator has a subkey?
>
> You should still use the session key of the service ticket.
>
> Heimdal and MIT krb5 both attempt to decrypt with the session key and
> subkey.  But Microsoft Kerberos only decrypts with the session key.  We
> found this out the hard way when we accidentally started encrypting
> GSSAPI forwarded creds with the subkey in 1.8.

So, the following paragraph on 
http://packages.qa.debian.org/k/krb5/news/20100411T160238Z.html is about 
this issue?

    * Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
      Kerberos and Microsoft Kerberos; resolve this incompatibility.  As a
      result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
      produce undesirable results for constrained delegation.  Again,
      another reason to replace 1.8 with 1.8.1 as soon as possible.

I cannot find a bug id related. Is the old behavior back in 1.8.1?

Thanks
Max


>
>> So, does the case in RFC 4121 4.1.1 I quoted above belongs to "this
>> specific application session"?
>
> I would not say that GSSAPI forwarded creds belong to the application
> session, no.  At any rate, the more specific statement in RFC 4121 takes
> precedence.
>
>
> _______________________________________________
> krbdev mailing list             krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev



More information about the krbdev mailing list