[2308] in Kerberos-V5-bugs
krb5-libs/72: krb5.conf's enctype/cksumtype syntax is inconsistant
daemon@ATHENA.MIT.EDU (John Hawkinson)
Sun Oct 6 14:43:06 1996
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, John Hawkinson <jhawk@bbnplanet.com>
Date: Sun, 6 Oct 1996 14:42:24 -0400
From: John Hawkinson <jhawk@bbnplanet.com>
To: krb5-bugs@MIT.EDU
>Number: 72
>Category: krb5-libs
>Synopsis: krb5.conf's enctype/cksumtype syntax is inconsistant
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: krb5-unassigned
>State: open
>Class: doc-bug
>Submitter-Id: unknown
>Arrival-Date: Sun Oct e 14:43:01 EDT 1996
>Last-Modified:
>Originator:
>Organization:
BBN Planet
>Release: beta-7
>Environment:
System: SunOS all-purpo 4.1.4 4 sun4m
Architecture: sun4
>Description:
krb5.conf seems to let you specify enctypes using names, but cksumtypes
using numbers.
At least, the documentation is ambiguous about what enctypes are allowed:
default_tgs_enctypes
This relation identifies the supported list of session
key encryption types that should be returned by the
KDC. The list may be delimited with commas or whi-
tespace.
(at the very least the space of possible values should be enumerated.
There are no references in the SEE ALSO section that might possibly
be relevent). The sample config file uses:
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
Anyhow, this is inconsistant with the cksumtypes, for which you need to
specify a number:
kdc_req_checksum_type
For compatability with DCE security servers which do
not support the default CKSUMTYPE_RSA_MD5 used by this
version of Kerberos. Use a value of 2 to use the
CKSUMTYPE_RSA_MD4 instead. This applies to DCE 1.1 and
earlier.
I think that enumerated types (i.e. names) should be used for all of
these instead of on-the-wire numbers.
Also, the sample krb5.conf should be updated to include the default
values of all the options...
>How-To-Repeat:
Umm, use a DCE-ish telnet client against a Beta 7 telnetd
and watch it lose.
>Fix:
>Audit-Trail:
>Unformatted:
