GSS MIC problems between Unix and Windows
Olga Kornievskaia
aglo at citi.umich.edu
Tue May 3 15:31:23 EDT 2011
What error code do you get from VerifySignature()?
On Wed, Apr 6, 2011 at 11:59 AM, Richard Evans
<richard.evans at datanomic.com> wrote:
> I'm using the gss APIs on a Linux box to establish a context with a
> Windows 7 system using SSPI. The context is established fine at both
> ends in one handshake, as expected. The 'supports integrity checking'
> flag is correctly set on both contexts.
>
> However I'm then trying to verify a message by generating a MIC at the
> Unix end, using gss_get_mic, and verifying at the Windows end using
> VerifySignature. I can never get the verification to succeed. I get
> similar problems if I generate the MIC on Windows using MakeSignature
> and verify it on Unix, using gss_verify_mic.
>
> At the Unix end I've tried both the implementation in Java 1.6u24, and
> native Kerberos libraries (1.7.1 on Fedora 12). The MIC generated when
> the client or server uses the Java APIs is 37 bytes long and looks like
> the format described in RFC 1964; the MIC when native Kerberos is used
> is 28 bytes long and seems to match RFC 4121.
>
> I can get the test to work if both ends are Windows or both ends are
> Unix, but not with a mixture.
>
> Are there any special tricks or problems with using VerifySignature and
> gss_get_mic?
>
> The background is that I'm testing gssapi-with-mic support in Apache
> SSHD - the final MIC verification is failing.
>
> Richard
>
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
More information about the krbdev
mailing list