[1642] in Kerberos-V5-bugs
telnet incompatability between V5b4pl3 and V5b5
daemon@ATHENA.MIT.EDU (Andrew Gross)
Sun Sep 24 06:16:25 1995
From: Andrew Gross <grossa@SDSC.EDU>
Date: Sun, 24 Sep 95 03:16:13 PDT
To: krb5-bugs@MIT.EDU
Hello,
I have found what appears to be an incompatability between telnet
in Kerberos V5b4pl3 and Kerberos V5b5 . Between like versions, the
kerberos_v5 client|mutual (auth type 02 02) works, but cross versions it
fails with the message:
[ Mutual authentication failed: Decrypt integrity check failed ]
Some checking reveals that the obvious key mismatch problem does exist.
In V5b4pl3, a new session key is requested
(appl/telnet/libtelnet/kerberos5.c:kerberos5_send) in the krb5_mk_req_extended
call. This key is then used in (kerberos5.c:kerberos5_reply) to decrypt the
mutual authentication reply by calling:
krb5_rd_rep(&inbuf, &session_key, &reply) .
The reply is generated in V5b5 (kerberos5.c:kerberos5_is) by
calling: krb5_mk_rep(telnet_context, auth_context, &outbuf) . We note
that (lib/krb5/krb/mk_rep.c) krb5_mk_rep sets up the encryption key by calling:
krb5_process_key(context, &eblock, auth_context->keyblock) . Thus
only the auth_context->keyblock is being used for encryption in V5b5
whereas V5b4pl3 uses the negotiated session key for this transaction.
There doesn't appear to be a provision that would allow the optional
use of the *_subkey keyblocks in krb5_mk_req and krb5_rd_rep calls.
Thank you,
Andrew Gross
