[39520] in Kerberos
GSS unwrap fails using RC4 session key instead of subkey
daemon@ATHENA.MIT.EDU (Michael B Allen)
Wed May 7 13:36:56 2025
MIME-Version: 1.0
From: Michael B Allen <ioplex@gmail.com>
Date: Wed, 7 May 2025 13:36:34 -0400
Message-ID: <CAGMFw4h2LAOk0qLXkf0mg8yWTZNdXTHZgBcC2Lpupj=UX+fJ_g@mail.gmail.com>
To: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
When using the MIT Kebreros gss-client program to initiate an RC4 resource,
my acceptor implementation (custom, not sun Java) fails to unwrap() because
the MITK initiator is using the session key instead of the subkey.
My initiator unconditionally uses the subkey which works with gss-server
(and the Windows SSPI initiator or acceptor.
Presumably I'm screwing up some flag during the AP-REQ/REP exchange.
Unfortunately running gss-client with the -pass option results in
PREAUTH_FAILED whereas without gdb it strangely works.
Where does the MITK initiator select the session key vs the subkey?
Bonus question: Is there a trick to getting gdb to work with gss-client
-pass?
Mike
PS: Yes, RC4 is discontinued but I decided to support it so it needs to
work 100%.
--
Michael B Allen
Java AD DS Integration
https://www.ioplex.com/ <http://www.ioplex.com/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
