[2318] in Kerberos-V5-bugs
Re: krb5-kdc/68: kdc violates RFC1510 and fails to support/ignore PA-ENC-TIMESTAMP
daemon@ATHENA.MIT.EDU (John Hawkinson)
Mon Oct 7 12:06:34 1996
To: "Theodore Y. Ts'o" <tytso@MIT.EDU>
Date: Mon, 7 Oct 1996 12:02:19 -0400 (EDT)
From: John Hawkinson <jhawk@bbnplanet.com>
Cc: krb5-prs@rt-11.mit.edu, krb5-bugs@MIT.EDU
In-Reply-To: <9610071432.AA15605@dcl.MIT.EDU> from "Theodore Y. Ts'o" at Oct 7, 96 10:32:25 am
> Note that the KDC does in fact support PA-ENC-TIMESTAMP. This may be a
> bug in the KDC not implementing the preauthentication type correctly,
> but we also have to consider the possibility that the IOS screwed up.
> More research is necessary....
Sigh.
It appears I succeeded in confusing KRB5_PADATA_ENC_UNIX_TIME and
KRB5_PADATA_ENC_TIMESTAMP. The former is what was being used here and
is generating the failure, and the latter is what RFC1510 mandates and
what Beta 7 supports.
Someone should downgrade this PR.
Of course, it would be nice if:
1) The kdc would provide more useful information. In addition
to what I noted in my pr (logged to user.?), it also logged something
to auth.?, seemingly cryptically:
Oct 6 02:10:31 liam-gw syslog: Unknown code jI 200 - pa verify failure
Oct 7 11:11:18 liam-gw syslog: Unknown code iX 40 - pa verify failure
Oct 7 11:35:20 liam-gw syslog: Unknown code hl 184 - pa verify failure
Oct 7 11:39:03 liam-gw syslog: Unknown code hl 184 - pa verify failure
Oct 7 11:46:12 liam-gw syslog: Unknown code hl 184 - pa verify failure
2) The maintainer of the Kebreros 5 tcpdump patches would
wake up and get them finished. Feel free to admonish him about
this :-)
--jhawk
ps: What is the canonical address for the list formerly known as
krb5-bugs? Choices appear to be krb5-prs@rt-11.mit.edu and
krb5-bugs-redist@mit.edu, neither of which seems awfully
appropriate. I would think krb5-bugs-redist@mit.edu should be
renamed to krb5-prs@mit.edu and that should be the address
canonically advertised...
