[16790] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: GSS MIC problems between Unix and Windows

daemon@ATHENA.MIT.EDU (Olga Kornievskaia)
Tue May 3 15:31:29 2011

MIME-Version: 1.0
In-Reply-To: <974066EF77EEA44EB8AED6ADA05DBD0202C9C163@THHS2EXBE1X.hostedservice2.net>
Date: Tue, 3 May 2011 15:31:23 -0400
Message-ID: <BANLkTimVOnATa8RQa8vBYXC6uwx14s8GYQ@mail.gmail.com>
From: Olga Kornievskaia <aglo@citi.umich.edu>
To: Richard Evans <richard.evans@datanomic.com>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit

What error code do you get from VerifySignature()?

On Wed, Apr 6, 2011 at 11:59 AM, Richard Evans
<richard.evans@datanomic.com> wrote:
> I'm using the gss APIs on a Linux box to establish a context with a
> Windows 7 system using SSPI.  The context is established fine at both
> ends in one handshake, as expected.  The 'supports integrity checking'
> flag is correctly set on both contexts.
>
> However I'm then trying to verify a message by generating a MIC at the
> Unix end, using gss_get_mic, and verifying at the Windows end using
> VerifySignature.  I can never get the verification to succeed.  I get
> similar problems if I generate the MIC on Windows using MakeSignature
> and verify it on Unix, using gss_verify_mic.
>
> At the Unix end I've tried both the implementation in Java 1.6u24, and
> native Kerberos libraries (1.7.1 on Fedora 12). The MIC generated when
> the client or server uses the Java APIs is 37 bytes long and looks like
> the format described in RFC 1964; the MIC when native Kerberos is used
> is 28 bytes long and seems to match RFC 4121.
>
> I can get the test to work if both ends are Windows or both ends are
> Unix, but not with a mixture.
>
> Are there any special tricks or problems with using VerifySignature and
> gss_get_mic?
>
> The background is that I'm testing gssapi-with-mic support in Apache
> SSHD - the final MIC verification is failing.
>
> Richard
>
> _______________________________________________
> krbdev mailing list             krbdev@mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>

_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
home help back first fref pref prev next nref lref last post