[33210] in Kerberos
GSSAPI issue from Windows clients
daemon@ATHENA.MIT.EDU (Carson Gaspar)
Wed Feb 16 03:07:51 2011
Message-ID: <4D5B85CF.9030002@taltos.org>
Date: Wed, 16 Feb 2011 00:07:43 -0800
From: Carson Gaspar <carson@taltos.org>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
While tracking down an openssh GSSAPI auth issue, I've fallen into the
bowels of the KRB5 libraries.
Client is Win 2k3, using x-realm auth from AD to our MIT KDC.
When linking against 1.6.x libs, everything works fine.
When linking against 1.8.x or 1.9, it fails with KRB5_BAD_MSIZE
I backtraced it to krb5int_hmac_keyblock complaining that output->length
(8) is less than hash->hashsize (16).
This is being called from krb5int_hmacmd5_checksum, where I see
key->keyblock.enctype is 1 (ENCTYPE_DES_CFB64), key->keyblock.length is 8
This all appear to make sense (DES is a 64-bit key, MD5 output is 128
bits), but of course fails miserably.
Does anyone have any clues to lend? I see a note in 1.8.3 that some
things were taking the MS MD5 code path that shouldn't be, but 1.8.3
claims to fix that, and 1.8.3 fails the same way 1.8.2 does.
--
Carson
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
