[krbdev.mit.edu #3205] AS_REP padata has wrong enctype

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #3205] AS_REP padata has wrong enctype

Greg Hudson via RT
>From [hidden email]  Wed Oct  5 17:14:20 2005
Received: from pch.mit.edu (PCH.MIT.EDU []) by krbdev.mit.edu (8.9.3p2) with ESMTP
        id RAA16778; Wed, 5 Oct 2005 17:14:20 -0400 (EDT)
Received: from pch.mit.edu (pch.mit.edu [])
        by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j95LDhpx024203
        for <[hidden email]>; Wed, 5 Oct 2005 17:13:43 -0400
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU
        by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j94LH4px028536
        for <[hidden email]>; Tue, 4 Oct 2005 17:17:04 -0400
Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [])
        for <[hidden email]>; Tue, 4 Oct 2005 17:17:02 -0400 (EDT)
Received: from centralmail1brm.Central.Sun.COM
        (centralmail1brm.central.sun.com [])
        by brmea-mail-4.sun.com (8.12.10/8.12.9) with ESMTP id j94LH1vD005719
        for <[hidden email]>; Tue, 4 Oct 2005 15:17:02 -0600 (MDT)
Received: from alton.central.sun.com (alton.Central.Sun.COM [])
        with ESMTP id j94LGxZv016207
        for <[hidden email]>; Tue, 4 Oct 2005 15:17:00 -0600 (MDT)
Received: from alton.central.sun.com (localhost [])
        for <[hidden email]>; Tue, 4 Oct 2005 16:16:53 -0500 (CDT)
Received: (from willf@localhost)
        by alton.central.sun.com (8.13.4+Sun/8.13.3/Submit) id j94LGq8w002661;
        Tue, 4 Oct 2005 16:16:52 -0500 (CDT)
Date: Tue, 4 Oct 2005 16:16:52 -0500 (CDT)
Message-Id: <[hidden email]>
To: [hidden email]
From: [hidden email]
X-send-pr-version: 3.99
X-Spam-Score: -1.366
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 05 Oct 2005 17:13:43 -0400
X-BeenThere: [hidden email]
X-Mailman-Version: 2.1
Precedence: list
Reply-To: [hidden email]
Sender: [hidden email]
Errors-To: [hidden email]

>Submitter-Id: net
>Originator: William Fiveash
>Organization: Sun Microsystems Inc
>Confidential: no
>Synopsis: AS_REP padata has wrong enctype
>Severity: non-critical
>Priority: low
>Category: krb5-libs
>Class: sw-bug
>Release: krb5-current
System: SunOS alton 5.10 Generic_118822-18 sun4u sparc SUNW,Sun-Blade-1000
Architecture: sun4


The most current version of krb is using the client long-term key
enctype in the PA-ETYPE-INFO2 part of the AS_REP padata.  This violates
RFC4120 which states that the enctype of the enc-part should be used.
Pragmatically if the client's long-term key has des-cbc-md5 and
default_tkt_enctypes = des-cbc-crc then kinit fails.

See the description.

In kdc_preauth.c:return_etype_info2()

+    /* using encrypting_key->enctype as this is specified in rfc4120 */
     retval = _make_etype_info_entry(context, request,
-               client_key, client_key->key_data_type[0],
+               client_key, encrypting_key->enctype,

krb5-bugs mailing list
[hidden email]