[16296] in Kerberos_V5_Development
Re: wrong checksum type for arcfour-hmac-md5
daemon@ATHENA.MIT.EDU (Luke Howard)
Wed Sep 15 12:25:33 2010
Message-Id: <7326650D-B9DD-4FFB-832A-7C5DA50B5ABC@mit.edu>
From: Luke Howard <lhoward@mit.edu>
To: Nicolas Williams <Nicolas.Williams@oracle.com>
In-Reply-To: <20100915161625.GP3982@oracle.com>
Mime-Version: 1.0 (iPhone Mail 7D11)
Date: Wed, 15 Sep 2010 18:24:18 +0200
Cc: "krbdev@mit.edu Dev List" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
That's a lot of deployed samba though. Is it Windows or Heimdal that's
not accepting the keyed checksum?
Sent from my iPhone
On 15/09/2010, at 18:16, Nicolas Williams
<Nicolas.Williams@oracle.com> wrote:
> On Wed, Sep 15, 2010 at 12:12:53PM -0400, Greg Hudson wrote:
>>> Why isn't this considered a bug in the server??
>>
>> All we know so far (assuming all of the given information is
>> correct) is
>> that the server will accept a GSSAPI authenticator with an rsa-md5
>> checksum--which is not valid--but won't accept one with an hmac-md5
>> checksum.
>>
>> That's not a bug in the server; if anything, the server is being
>> overly
>> permissive by accepting rsa-md5. It's a bug in the "home-grown
>> GSSAPI"
>> client that it's not jusing a GSSAPI authenticator checksum.
>
> Fine, then I'd say the bug is in the home-grown initiator.
>
>> If there are other circumstances where the server will accept rsa-
>> md5 in
>> an authenticator and not hmac-md5, that's worth knowing about.
>>
>>
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
