[16283] in Kerberos_V5_Development
Re: wrong checksum type for arcfour-hmac-md5
daemon@ATHENA.MIT.EDU (Luke Howard)
Wed Sep 15 10:35:30 2010
Mime-Version: 1.0 (Apple Message framework v1081)
From: Luke Howard <lhoward@mit.edu>
In-Reply-To: <4C90D666.2010403@samba.org>
Date: Wed, 15 Sep 2010 16:35:22 +0200
Message-Id: <B5C9161B-116D-4F8F-8574-7D8DF67CC99F@mit.edu>
To: Stefan (metze) Metzmacher <metze@samba.org>
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 15/09/2010, at 4:21 PM, Stefan (metze) Metzmacher wrote:
> Hi Luke,
>
> I found that MIT kerberos uses the wrong (not the same as windows and
> heimdal)
> checksum for arcfour-hmac-md5.
I would be cautious about changing the default checksum type for rc4-hmac in etypes.c. RFC 4757 is pretty clear that the mandatory checksum type is CKSUMTYPE_HMAC_MD5_ARCFOUR.
Can you point me to where in the GSS-API RFCs and/or Windows protocol documents it specifies *not* sending a 0x8003 as part of the AP-REQ in a Kerberos InitialContextToken? I don't believe Windows clients ever do this? Samba is taking advantage of the fact that Windows servers are liberal acceptors but this isn't specified anywhere to my knowledge (OK, I haven't looked).
I would suggest instead your self-made GSSAPI use krb5_auth_con_set_req_cksumtype() to force the checksum type you want.
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
