[1882] in Kerberos-V5-bugs
ss-960411 Checksum Problems
daemon@ATHENA.MIT.EDU (Doug Engert)
Tue Apr 16 18:06:56 1996
Date: Tue, 16 Apr 1996 17:06:38 -0500
From: Doug Engert <DEEngert@anl.gov>
To: krb5-bugs@MIT.EDU
While testing the ss-960411 snapshot, I always get a "Decrypt
integrity check failed" when using an older version of krlogin with
the newer krlogind.
It appears that krlogind.c should only be checking the checksum if the
-c option is set. But the logic appears to check it anyway, and the
krb5_verify_checksum is called which returns the bad status.
The status is returned by recvauth, but the status is checked before
the valid_checksum, and thus all the nice error messages: "You are
using an old Kerberos5 without initial connection support; only newer
clients are authorized" will never be seen.
krshd.c appears to have the same problem. I have not looked at
any other clients.
I have tried this fix with and without the -c option, and it has the
correct behavior, but not the nice error messages.
*** ,krlogind.c Thu Apr 11 19:13:46 1996
--- krlogind.c Tue Apr 16 16:26:42 1996
***************
*** 1533,1539 ****
getstr(netf, lusername, sizeof (lusername), "locuser");
getstr(netf, term, sizeof(term), "Terminal type");
! if (auth_sys == KRB5_RECVAUTH_V5) {
if(status = krb5_auth_con_getauthenticator(bsd_context, auth_context, &authenticator))
return status;
--- 1557,1563 ----
getstr(netf, lusername, sizeof (lusername), "locuser");
getstr(netf, term, sizeof(term), "Terminal type");
! if ((auth_sys == KRB5_RECVAUTH_V5) && checksum_required) {
if(status = krb5_auth_con_getauthenticator(bsd_context, auth_context, &authenticator))
return status;
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
