[16738] in Kerberos_V5_Development
Re: Decrypting KRB_CRED in AP_REQ
daemon@ATHENA.MIT.EDU (Weijun Wang)
Fri Apr 1 03:08:58 2011
Message-ID: <4D952C9A.7060705@oracle.com>
Date: Fri, 01 Apr 2011 09:38:34 +0800
From: Weijun Wang <weijun.wang@oracle.com>
MIME-Version: 1.0
To: Greg Hudson <ghudson@mit.edu>
In-Reply-To: <1301583129.10465.320.camel@t410>
Cc: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 03/31/2011 10:52 PM, Greg Hudson wrote:
> On Thu, 2011-03-31 at 00:17 -0400, Weijun Wang wrote:
>> Here, it seems the decrypt key should be the session key of the service
>> ticket. What shall I do if the authenticator has a subkey?
>
> You should still use the session key of the service ticket.
>
> Heimdal and MIT krb5 both attempt to decrypt with the session key and
> subkey. But Microsoft Kerberos only decrypts with the session key. We
> found this out the hard way when we accidentally started encrypting
> GSSAPI forwarded creds with the subkey in 1.8.
So, the following paragraph on
http://packages.qa.debian.org/k/krb5/news/20100411T160238Z.html is about
this issue?
* Testing of Kerberos 1.8 showed an incompatibility between Heimdal/MIT
Kerberos and Microsoft Kerberos; resolve this incompatibility. As a
result, mixing KDCs between 1.8 and 1.8.1 in the same realm may
produce undesirable results for constrained delegation. Again,
another reason to replace 1.8 with 1.8.1 as soon as possible.
I cannot find a bug id related. Is the old behavior back in 1.8.1?
Thanks
Max
>
>> So, does the case in RFC 4121 4.1.1 I quoted above belongs to "this
>> specific application session"?
>
> I would not say that GSSAPI forwarded creds belong to the application
> session, no. At any rate, the more specific statement in RFC 4121 takes
> precedence.
>
>
> _______________________________________________
> krbdev mailing list krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
