[17028] in Kerberos_V5_Development
Multiple ETYPE-INFO-ENTRY with same etype but different salts
daemon@ATHENA.MIT.EDU (Weijun Wang)
Fri Jul 15 08:34:49 2011
Message-ID: <4E1FEA8F.5010506@oracle.com>
Date: Fri, 15 Jul 2011 15:21:51 +0800
From: Weijun Wang <weijun.wang@oracle.com>
MIME-Version: 1.0
To: "krbdev@mit.edu" <krbdev@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
Hi All
I have a customer whose KDC sends out the following packet as the
response of initial login:
Kerberos KRB-ERROR
....
error_code: KRB5KDC_ERR_PREAUTH_REQUIRED (25)
e-data
padata:
Type: PA-ENCTYPE-INFO (11)
Value:
Encryption type: des-cbc-crc (1)
Encryption type: des-cbc-crc (1)
Salt: <MISSING>
Encryption type: des-cbc-crc (1)
Salt: "XXX.EDU"
...
The PA-ENCTYPE-INFO's detailed ASN.1 structure is:
SEQUENCE
SEQUENCE
[0] INTEGER 1
SEQUENCE
[0] INTEGER 1
[1] OCTET STRING ""
SEQUENCE
[0] INTEGER 1
[1] OCTET STRING "XXX.EDU"
As you can see, it includes multiple entries for the des-cbc-crc etype
and they have different salt values. Also, the last value "XXX.EDU" is
wrong. If I use it as the salt to generate a secret key and send a
timestamp, the KDC rejects me. Only if the default salt "XXX.EDUuser" is
used, I get the AS-REP.
I lookup RFC 4120 and there is no spec on what to do when there are
multiple ETYPE-INFO-ENTRYs with the same etype but different salts. What
shall I do now? Or, is there a way to reconfigure their KDC and avoid
such a response?
Thanks
Max
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev