[16736] in Kerberos_V5_Development
Re: Decrypting KRB_CRED in AP_REQ
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu Mar 31 10:52:19 2011
From: Greg Hudson <ghudson@mit.edu>
To: Weijun Wang <weijun.wang@oracle.com>
In-Reply-To: <4D940056.7000909@oracle.com>
Date: Thu, 31 Mar 2011 10:52:09 -0400
Message-ID: <1301583129.10465.320.camel@t410>
Mime-Version: 1.0
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On Thu, 2011-03-31 at 00:17 -0400, Weijun Wang wrote:
> Here, it seems the decrypt key should be the session key of the service
> ticket. What shall I do if the authenticator has a subkey?
You should still use the session key of the service ticket.
Heimdal and MIT krb5 both attempt to decrypt with the session key and
subkey. But Microsoft Kerberos only decrypts with the session key. We
found this out the hard way when we accidentally started encrypting
GSSAPI forwarded creds with the subkey in 1.8.
> So, does the case in RFC 4121 4.1.1 I quoted above belongs to "this
> specific application session"?
I would not say that GSSAPI forwarded creds belong to the application
session, no. At any rate, the more specific statement in RFC 4121 takes
precedence.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
