[1007] in Kerberos-V5-bugs
Re: Inconsistent behavior?
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Fri Dec 23 14:28:21 1994
Date: Fri, 23 Dec 1994 14:28:16 +0500
From: Theodore Ts'o <tytso@MIT.EDU>
To: georgesr@wrq.com (georges rahbani)
Cc: krb5-bugs@MIT.EDU, georgesr@elmer.wrq.com
In-Reply-To: [979]
[0979] daemon@ATHENA.MIT.EDU (georges rahbani) Kerberos-V5-bugs 12/06/94 14:28 (43 lines)
Date: Tue, 06 Dec 1994 11:28:00 -0800
From: georgesr@wrq.com (georges rahbani)
kinit with no pre-authentication works fine for my realm CHESTER.GAR
as well as for ATHENA.MIT.EDU. This also works when I run kinit from
the sun machine. This is defined in the array preauth_search_list in
the file kinit.c
* kinit with KRB5_PADATA_ENC_UNIX_TIME fails from both the pc as well
as when I try it from the compiled code on the sun. On the PC I get
in etext "Integrity check failed" and on the sun kinit prints out
"incorrect password"
I've figured out why this is losing for you. The problem is that the
preauthentication code doesn't know which salting algorithm it should
use; so it uses the default salting algorithm. But in the
ATHENA.MIT.EDU realm, your password is converted to the key using the
Kerberos V4 salting algorithm, and so the guess made by the
preauthentication code is the wrong one.
Unfortunately, fixing this is going to require changing the Kerberos
API, because of the way the key_proc callback is set up simply doesn't
allow the get_in_tkt to try with multiple salting algorithms.
We're considering whole series of API changes in the near future
(basically because this is going to be our last chance to make any API
changes). So this is something that we're likely to address ---
although people like yourself who have ports in progress aren't going to
be terribly happy when you see the magnitude of the API changes that
we're planning. So this is a bit of good news, bad news sort of thing
for you, I guess.
Good luck, and best wishes for the holidays....
- Ted
