[5124] in Kerberos

home help back first fref pref prev next nref lref last post

Re: Kerberos 5 Beta 5 Interoperability with DCE # 2

daemon@ATHENA.MIT.EDU (Joe Kovara)
Wed May 10 01:06:52 1995

To: kerberos@MIT.EDU
Date: Tue, 9 May 1995 21:27:11 -0700
From: Joe Kovara <joek@CyberSAFE.COM>

On 8 May 1995, Doug Engert wrote:
[...] 
> Since the etype in this routine was taken from the krbtgt and as
> the comments in the krb5.h for the krb5_keyblock indicate, it is
> only a HINT. It appears that the ETYPE_DES_CBC_CRC was used by
> the dce_login, while the ETYPE_DES_CBC_MD5 was used by the
> rlogin.
> 
> A better test might be:
> if(krb5_csarraylocal_dec_rep->enc_part.etypeY->system->proto_keytype
>    != key->keytype)
> Test if the key can be used for this encryption method.
[...]

While the above will work, I believe the fix violates the spirit (if not
the letter?) of the RFC; the original code is, I believe, simply
deficient. 

The e-type in the request is more than a "hint".  The KDC should use the
first supported e-type; it is assumed that the client put the e-types in
order of preference for a reason.  At any rate, the KDC _must_ use one of
the requested e-types, or it should reject the request with an
"unsupported e-type" error--it should not simply pick something it happens
to like. 

By the same token, the client should reject the reply if it does not match
_one_ of the requested e-types.  (The function described above only
accepts a single e-type.  Oh well.)  This may be different than the e-type
of the TGT, since, of course, the server in question may not support all
of the client's e-types (or for a couple other reasons).

While simply saying that any e-type will do (as long as the key will
work), I think that a response that uses an e-type other than one of the
ones requested indicates a broken KDC, and the client should reject the
reply.  This is in the same spirit as the rest of the checks made by the
client of KDC replies: even though a reply may decrypt properly and is
within the clock skew, the client still checks--and will reject--a KDC
reply for any number of reasons; many of those checks are "if it ain't
exactly what I requested, reject it with a 'KDC reply modified' error".

Yes, one could make the argument that, since the client has already
decrypted the original KDC reply, that the KDC knows that the client
supports that e-type, and that the client doesn't have to explicitly
request the e-type present in the TGT.  But this raises several other
questions/ambiguities (which is one thing we don't need more of :); but
any discussion of them would would probably induce disorientation and
nausea, if not bore you to death. 

Then again, the RFC can be a bit fuzzy when it comes to the treatment of
multiple e-types and key types, so some additional discussion and comment
is probably in order...


Joe Kovara / Product Development Manager / CyberSAFE / joek@cybersafe.com

home help back first fref pref prev next nref lref last post