[16785] in Kerberos_V5_Development
RE: GSS MIC problems between Unix and Windows
daemon@ATHENA.MIT.EDU (Richard Evans)
Tue May 3 05:09:27 2011
From: Richard Evans <richard.evans@datanomic.com>
To: "krbdev@mit.edu" <krbdev@mit.edu>
Date: Tue, 3 May 2011 10:07:00 +0100
Message-ID: <A1214490773E01458F32544FE696582221368223@THHS2E12BE8X.hostedservice2.net>
In-Reply-To: <974066EF77EEA44EB8AED6ADA05DBD0202C9C163@THHS2EXBE1X.hostedservice2.net>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
I'm still having problems with this? Does anyone have any clues, or is this just a fundamental problem with Kerberos/Windows interaction? Further tests indicate that signature verification also fails with Windows 2000 so it is not specific to Windows 7.
Richard
-----Original Message-----
Sent: 06 April 2011 17:00
To: krbdev@mit.edu
Subject: GSS MIC problems between Unix and Windows
I'm using the gss APIs on a Linux box to establish a context with a
Windows 7 system using SSPI. The context is established fine at both
ends in one handshake, as expected. The 'supports integrity checking'
flag is correctly set on both contexts.
However I'm then trying to verify a message by generating a MIC at the
Unix end, using gss_get_mic, and verifying at the Windows end using
VerifySignature. I can never get the verification to succeed. I get
similar problems if I generate the MIC on Windows using MakeSignature
and verify it on Unix, using gss_verify_mic.
At the Unix end I've tried both the implementation in Java 1.6u24, and
native Kerberos libraries (1.7.1 on Fedora 12). The MIC generated when
the client or server uses the Java APIs is 37 bytes long and looks like
the format described in RFC 1964; the MIC when native Kerberos is used
is 28 bytes long and seems to match RFC 4121.
I can get the test to work if both ends are Windows or both ends are
Unix, but not with a mixture.
Are there any special tricks or problems with using VerifySignature and
gss_get_mic?
The background is that I'm testing gssapi-with-mic support in Apache
SSHD - the final MIC verification is failing.
Richard
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
