Re: TGS revisited

[Elrond]

On Tue, Apr 25, 2006 at 05:55:22PM +0200, Simon Josefsson wrote:
> Elrond <address@hidden> writes:
> 
> > shishi-client:
> ...
> > (+)                     Kvno: 1
> 
> This could be the problem, from your earlier logs, I think your
> current kvno is 2.  It seems shishi hard code the authenticator
> checksum kvno to 1, which is bad.  I've fixed this in CVS, and I think
> the daily Debian packages has it.  Could you re-try?

Ahhh.

Yes, my heimdal keys have kvno > 1 sometimes, too.

Okay, will retry soon.


> shishi -v -v -v should display the same information as ethereal does,
> only in a different format, so those logs should be sufficient.
> However, when comparing heimdal output with shishi output, etherreal
> seems very useful (especially when it decrypts messages too).

Right.


> 
> >                                 Checksum
> >>>>>>>>                                      Type: Unknown (65398)
> >                                     checksum: 
> > C005E2E3616E85117D7BF005696E386F
> ...
> >                                 Checksum
> >>>>>>>>                                      Type: md5 (7)
> >                                     checksum: 
> > C552A4D8830301F555840CAC9D667EC0
> 
> This is more interesting, 65398 is -138 which is HMAC-RC4.  It may be
> that w2k3 doesn't use the HMAC-RC4 scheme, but rather require MD5?
[...]
> Maybe w2k3 wants a MD5 checksum type there, instead of HMAC-RC4?

I doubt that... The arcfour-hmac-md5 stuff was invented by
ms, so they really should support it. Probably heimdal has
a small glitch in using md5 as default there...


[...]
> I manually changed it to 7 (see last part of lib/crypto-rc4.c, it
[...]

I did the same yesterday or so.

It didn't help against w2k3.

So I guess, we can ignore it for the moment.


> If the kvno change above doesn't solve this, I'll try to make this
> configurable somehow.

If the kvno doesn't help, we're probably bach at the
whiteboard. ;o)

> Thanks,

Thanks for shishi. :)


    Elrond