[16292] in Kerberos_V5_Development
Re: wrong checksum type for arcfour-hmac-md5
daemon@ATHENA.MIT.EDU (Greg Hudson)
Wed Sep 15 12:12:58 2010
From: Greg Hudson <ghudson@mit.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
In-Reply-To: <20100915160832.GO3982@oracle.com>
Date: Wed, 15 Sep 2010 12:12:53 -0400
Message-ID: <1284567173.5992.1662.camel@ray>
Mime-Version: 1.0
Cc: Luke Howard <lhoward@mit.edu>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> Why isn't this considered a bug in the server??
All we know so far (assuming all of the given information is correct) is
that the server will accept a GSSAPI authenticator with an rsa-md5
checksum--which is not valid--but won't accept one with an hmac-md5
checksum.
That's not a bug in the server; if anything, the server is being overly
permissive by accepting rsa-md5. It's a bug in the "home-grown GSSAPI"
client that it's not jusing a GSSAPI authenticator checksum.
If there are other circumstances where the server will accept rsa-md5 in
an authenticator and not hmac-md5, that's worth knowing about.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
