[32952] in Kerberos
GSSAPI RFC4121 token support
daemon@ATHENA.MIT.EDU (Derrick Brashear)
Mon Dec 6 13:53:37 2010
MIME-Version: 1.0
Date: Mon, 6 Dec 2010 13:41:31 -0500
Message-ID: <AANLkTin8d84vRTsYmzATidEXt7P15WV8EZdYxHT17CcF@mail.gmail.com>
From: Derrick Brashear <shadow@gmail.com>
To: heimdal-discuss@sics.se, Kerberos List <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi,
>From a little expedition this morning comparing interoperability with
MIT and Heimdal GSSAPI tools, it seems that
support for new tokens hasn't been applied correctly with respect to RFC 4121.
A Heimdal snapshot from earlier today incorrectly did not treat
des3-cbc-sha1(enctype 7) as a "not newer" enctype,
while Kerberos 1.6 treats des-cbc-md4 (enctype 2) as new and thus
happily passes a valid tok_id 0101 token to be
parsed as a new-style (0404) token... where it fails.
This bug is not present in MIT 1.8.
So, for those having interoperability issues especially between
Heimdal clients and MIT 1.6 servers, you may need
to patch krb5_gss_accept_sec_context on your server.
Fair warning.
--
Derrick
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
