[264] in Kerberos-V5-bugs
Porting problems in V5
daemon@ATHENA.MIT.EDU (Tony Lill)
Wed Dec 9 00:19:50 1992
To: athena.mit.edu!kerberos@eddie.mit.edu
Cc: athena.mit.edu!krb5-bugs@eddie.mit.edu
Reply-To: harvard!scubed!riipsdev.waterloo.ncr.com!ajlill@eddie.mit.edu
Date: Tue, 08 Dec 92 16:46:40 -0500
From: Tony Lill <harvard!scubed!riipsdev.waterloo.ncr.com!ajlill@eddie.mit.edu>
I'm in the middle of porting V5 to Windows, and I would like some
feedback to a couple of problems I've run into.
The first is in the KRB5_PADATA_ENC_TIMESTAMP preauthorization type.
It contains 4 byte confounder, and the machine representation of time
(i.e the (currently)long retuned by the time() system call). For those
of you lucky enough not to have dealt extensively with DOS don't know,
the DOS time() call returns the number of seconds since midnight, Dec
31, 1899, rather than Jan 1, 1970.
My current solution(hack) is to adjust the value on the DOS machine so
it's based on the UNIX epoch. A better solution would be to encode the
timestamp in "Universal" time, as the rest of the timestamps are, or
at least, put a tm-like structure instead of the long. Comments?
The second problem is more serious. In the ticket requests and
responses is the nonce field. From what I could gather, this is used
for two purposes, as a unique identifier, and as as a base to check if
the starttime in the reply is within the allowed clock skew. The
problem is that in the ASN.1 protocol, it is described as INTEGER.
Pepsy (from isode 8.0) turns that into an int when it creates it's
tables. Internally to kerberos, it is a krb5_int32. When the reply
comes in, the nonce has been converted from a long to an int and back,
so it doesn't match with what went out. What I'm planning to do for
now is to only compare the low word on the nonce when I check the
reply, but either pepsy must be fixed, or the kdc requests must be for
a "proper" solution. Comments?
Thanks
Tony Lill, Tony.Lill@Waterloo.NCR.COM
President, A. J. Lill Consultants (519) 650 0660
539 Grand Valley Dr., Cambridge, Ont. (519) 653 9732
presently at E&M Waterloo, NCR Canada Ltd. (519) 884 1710 x624
voice plus 643 1624
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"
