[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TGS revisited
From: |
Simon Josefsson |
Subject: |
Re: TGS revisited |
Date: |
Tue, 25 Apr 2006 23:36:23 +0200 |
User-agent: |
Gnus/5.110005 (No Gnus v0.5) Emacs/22.0.50 (gnu/linux) |
Elrond <address@hidden> writes:
> On Tue, Apr 25, 2006 at 07:53:00PM +0200, Elrond wrote:
> [...]
>> > This could be the problem, from your earlier logs, I think your
>> > current kvno is 2. It seems shishi hard code the authenticator
>> > checksum kvno to 1, which is bad. I've fixed this in CVS, and I think
>> > the daily Debian packages has it. Could you re-try?
>>
>> Ahhh.
>>
>> Yes, my heimdal keys have kvno > 1 sometimes, too.
>>
>> Okay, will retry soon.
>
> Okay.
>
> Bad news: It did not help.
> Good news: The kvno isn't anymore in the TGS-REQ.
Thanks for testing!
> Okay, here's a quick list, what I can see:
>
> 1) The name-type issue still isn't fixed. (unknown/0, but
> should be Prinicpal/1)
Yup, let's treat that as the next likely problem.
> 2) shishi has a sub-key and sequence number in the TGS-REQ.
> heimdal doesn't. (no idea, if that is good or not.)
These are likely next candidates, although they shouldn't cause
problems. However, Heimdal handle TGS-REQ with subkey's incorrectly,
so it isn't unlikely that w3k3 does something even worse.
The seq-number shouldn't cause problems, but we could try removing it,
it really shouldn't be there.
> 3) I'm starting to get the feeling, that something on my
> box is somewhat mixed up.
I'm not so sure -- let's try to make the ASN.1 packets as similar as
possible first, to rule out any of those problems. We have three
items above to deal with first.
> a) If I find the time, I will compile it on another box
> with access to the w2k3-kdc.
> b) Do I have a realistic chance to verify checksums by
> "hand"? Setting it to md5 in crypto-rc4 would be my
> first step, so that I would "only" need to run md5 on
> some parts of the packet.
Shouldn't be too hard, the checksum is computed over the DER encoding
of the req-body in the KDC-REQ. There is a XXX nit in
shishi_ap_set_tktoptionsasn1usage() which you could watch out for.
> What next?
I'll try to fix the name-type issue first.
Thanks,
Simon
- TGS revisited, Elrond, 2006/04/23
- Re: TGS revisited, Simon Josefsson, 2006/04/25
- Re: TGS revisited, Elrond, 2006/04/25
- Re: TGS revisited, Elrond, 2006/04/25
- Re: TGS revisited,
Simon Josefsson <=
- Re: TGS revisited, Elrond, 2006/04/25
- Re: TGS revisited, Simon Josefsson, 2006/04/26
- Re: TGS revisited, Elrond, 2006/04/26
- Re: TGS revisited, Simon Josefsson, 2006/04/27
- Re: TGS revisited, Elrond, 2006/04/27
- Re: TGS revisited, Simon Josefsson, 2006/04/27
- Re: TGS revisited, Elrond, 2006/04/27
- Re: TGS revisited, Simon Josefsson, 2006/04/27
- Re: TGS revisited, Elrond, 2006/04/27
- Re: TGS revisited, Elrond, 2006/04/27