[36142] in Kerberos
Re: Problems parsing old krbPrincipalKey attributes from LDAP backend
daemon@ATHENA.MIT.EDU (Frank Steinberg)
Sat May 24 06:14:44 2014
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.2\))
From: Frank Steinberg <steinberg@ibr.cs.tu-bs.de>
In-Reply-To: <53802188.5020003@mit.edu>
Date: Sat, 24 May 2014 12:14:24 +0200
Message-Id: <46B58A55-C22F-4475-BE37-7B14F8BC2E52@ibr.cs.tu-bs.de>
To: Greg Hudson <ghudson@mit.edu>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============0027916404=="
Errors-To: kerberos-bounces@mit.edu
--===============0027916404==
Content-Type: multipart/signed;
boundary="Apple-Mail=_9F6188C8-4C74-4BE9-8EEB-7B9F20BBF95D";
protocol="application/pgp-signature"; micalg=pgp-sha512
--Apple-Mail=_9F6188C8-4C74-4BE9-8EEB-7B9F20BBF95D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
[Subsequent messages containing key data have not been sent to the =
mailinglist.]
Hi Greg,
thank you very much. Now, I have a better understanding of the problem.
I started to analyze the key data with an ASN.1 decoder and could =
identify
the differences in the optional salt sequence. Patching the KDC would be
possible, however I think I will try the approach to recode the affected
key data. If I will come up with a solution (or if I give up :-)) I will
let you know...
--- /root/key-old 2014-05-24 11:56:38.143692128 +0200
+++ /root/key-new 2014-05-24 11:56:37.231688930 +0200
@@ -1,179 +1,207 @@
SEQUENCE {
[0] {
INTEGER 1
}
[1] {
INTEGER 1
}
[2] {
- INTEGER 1
+ INTEGER 2
}
[3] {
- INTEGER 0
+ INTEGER 1
}
[4] {
SEQUENCE {
SEQUENCE {
+ [0] {
+ SEQUENCE {
+ [0] {
+ INTEGER 0
+ }
+ }
+ }
[1] {
Am 24.05.2014 um 06:35 schrieb Greg Hudson <ghudson@MIT.EDU>:
> Thanks for this information. I was able to figure out what
> unintentionally changed; the upshot is that most LDAP key data encoded
> with version 1.6 cannot be decoded with version 1.11 or 1.12. The
> details are complicated; if you care, they are at:
>=20
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=3D7918
> http://krbdev.mit.edu/rt/Ticket/Display.html?id=3D7919
>=20
> Are you in a position to patch your 1.12 KDC once I develop a fix for
> this? If not, it's theoretically possible to re-encode the key data
> in the affected DB entries, but it wouldn't be all that =
straightforward.
>=20
> On 05/23/2014 08:14 AM, Frank Steinberg wrote:
>> Hi Greg!
>>=20
>> thank you for the very prompt response! I'm sorry, that it took
>> three days to get back on this issue.
>>=20
>> Am 20.05.2014 um 17:01 schrieb Greg Hudson <ghudson@MIT.EDU>:
>>=20
>>> On 05/20/2014 09:56 AM, Frank Steinberg wrote:
>>>> Did this krbPrincipalKey type change?
>>>=20
>>> Not intentionally. [...]
>>>=20
>>> * You could send me a hex dump of a key sequence which decodes in
>>> 1.10 but not in 1.12.
>>=20
>> This is the (former) LDIF attribute of our principal [...]
--Apple-Mail=_9F6188C8-4C74-4BE9-8EEB-7B9F20BBF95D
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename=signature.asc
Content-Type: application/pgp-signature;
name=signature.asc
Content-Description: Message signed with OpenPGP using GPGMail
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org
iQEcBAEBCgAGBQJTgHEAAAoJELceje+Z7H2L1xoH/3EaebrwyKLg6OVIKrxmSTRW
TN/izL2r3HF7K1/VVzcWQFWHEtG0KvvcB9AYKHKW2yHBbudh9CZQre8QNKf2abED
riP9XF7Ulc9Yg9uOqRZf0XE7FkrXu7/cnluvy3KNa0tdePhjiNEJtqXKpA3iX+d4
xBZWI9xn1WJnW3xRZOy4ioyVixdiyZ9XTUY2MtafxRBF2YM+RrO/GpNV0MRN/NUS
Z9ATPyY8X4ZMoAOBrF+TQaE2C1IlD2wwYtjnKxxdR8ANWu9tX6hkxzIi7GPy7IHY
3DwH6MM9a5uDH6OJ6m2mhrx825Esz/VogP3SDr3bUkAbaREM3vEOXPPaPfjdsPk=
=AYID
-----END PGP SIGNATURE-----
--Apple-Mail=_9F6188C8-4C74-4BE9-8EEB-7B9F20BBF95D--
--===============0027916404==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============0027916404==--
