[16298] in Kerberos_V5_Development
Re: wrong checksum type for arcfour-hmac-md5
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Sep 15 13:35:27 2010
From: Sam Hartman <hartmans@mit.edu>
To: Greg Hudson <ghudson@mit.edu>
Date: Wed, 15 Sep 2010 13:35:03 -0400
In-Reply-To: <1284568040.5992.1668.camel@ray> (Greg Hudson's message of "Wed,
15 Sep 2010 12:27:19 -0400")
Message-ID: <tsllj72kj08.fsf@live.mit.edu>
MIME-Version: 1.0
Cc: Luke Howard <lhoward@mit.edu>, "krbdev@mit.edu Dev List" <krbdev@mit.edu>,
Nicolas Williams <nicolas.williams@oracle.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Greg" == Greg Hudson <ghudson@MIT.EDU> writes:
Greg> On Wed, 2010-09-15 at 12:15 -0400, Luke Howard wrote:
>> The trace simo attached showed unkeyed checksum in a tgs req,
>> IIRC
Greg> Yes, but that's not directly to the failure case. We have no
Greg> reason to believe that a tgs-req with an hmac-md5
Greg> authenticator checksum will be rejected by AD.
My current thinking on this is that the bug is in Samba. Based on the
evidence so far I don't support this change. Having the mandatory
checksum for an enctype be unkeyed is problematic for a number of things
including FAST, PKINIT, the securID stuff I'm working on and the OTP
preauth under last call in krb-wg.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
