[1366] in Kerberos-V5-bugs
Kerberos 5 Beta 5 Interoperability with DCE # 2
daemon@ATHENA.MIT.EDU (Doug Engert)
Mon May 8 17:11:15 1995
Date: Mon, 08 May 95 16:10:40 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <KRB5-BUGS@MIT.EDU>
Cc: <SIG-SECURITY@OSF.ORG>, <KERBEROS@MIT.EDU>, <AUTHTF@ES.NET>
When using a DCE security server as the KDC, and using the K5.5
kinit and the K5.5 rlogin every works. (This is with the fix I sent
in saturday.)
When using the dce_login command, the krbtgt is obtained, but
when the rlogin tries to get the ticket for host/.... it gets a
KRB5_WRONG_ETYPE return code from ./lib/krb5/krb/decode_kdc.c.
(This worked in K5.4.3.)
It appears that the "if (local_dec_rep->enc_part.etype != etype)"
is not adequate in this situation, where one encryption method is
used for the krbtgt, and another is used for the host/... ticket.
Kerberos 5 beta 5 introduced a second encryption type,
ETYPE_DES_CBC_MD5, in addition to the ETYPE_DES_CBC_CRC. This
allowed the client to suggest and the KDC to select which one to
use.
Since the etype in this routine was taken from the krbtgt and as
the comments in the krb5.h for the krb5_keyblock indicate, it is
only a HINT. It appears that the ETYPE_DES_CBC_CRC was used by
the dce_login, while the ETYPE_DES_CBC_MD5 was used by the
rlogin.
A better test might be:
if(krb5_csarray
local_dec_rep->enc_part.etypeY->system->proto_keytype
!= key->keytype)
Test if the key can be used for this encryption method.
The K5.5 clients are on a AIX 3.2.5 system, the K5.5 rlogind is on a
SunOS 4.1.3_U1 and the DCE security server is on a Solaris 2.4
system with the Transarc 1.0.3a DCE. (I have also built k5.5 on
a Linux system at home, and it works as well!)
A complete context diff file can be found at
ftp://achilles.ctd.anl.gov/pub/kerberos.v5/k55.cdiff.950508
which contains a number of other changes, some for AIX.
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
------------------------------------------
*** ./lib/krb5/krb/,decode_kdc.c Thu Apr 13 19:53:55 1995
--- ./lib/krb5/krb/decode_kdc.c Mon May 8 15:25:17 1995
***************
*** 60,66 ****
if (retval)
return retval;
! if (local_dec_rep->enc_part.etype != etype) {
krb5_free_kdc_rep(context, local_dec_rep);
return KRB5_WRONG_ETYPE;
}
--- 60,78 ----
if (retval)
return retval;
! /* ANL - The following check is being changed, since the
! * etype being tested is only a hint at what etype to expect.
! * See the krb5_keyblock definition in krb5.h.
! * Also see the XXX comment in krb5.h before krb5_keytype_array
! * This causes a problem with tickets obtained from DCE.
! * which suggest one etype, but may have another.
! * This problem was introduced in 5 beta 5 when a second etype
! * was added.
! */
! /* if (local_dec_rep->enc_part.etype != etype) { */
!
! if (krb5_csarray
local_dec_rep->enc_part.etypeY->system->proto_keytype
! != key->keytype) {
krb5_free_kdc_rep(context, local_dec_rep);
return KRB5_WRONG_ETYPE;
}
