[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Tickets with instance names.
|
From: |
Simon Josefsson |
|
Subject: |
Re: Tickets with instance names. |
|
Date: |
Wed, 15 Aug 2012 21:38:24 +0200 |
|
User-agent: |
Gnus/5.130006 (Ma Gnus v0.6) Emacs/23.3 (gnu/linux) |
Mats Erik Andersson <address@hidden> writes:
> onsdag den 15 augusti 2012 klockan 13:06 skrev Mats Erik Andersson detta:
>> torsdag den 9 augusti 2012 klockan 23:14 skrev Simon Josefsson detta:
>> > Mats Erik Andersson <address@hidden> writes:
>> >
>> > > Am I incorrect in believing that AS-REP was built from incorrect
>> > > data, since the name string is not split into name proper and
>> > > instance name?
>> >
>> > Yes. The code parsing sigge/admin should probably have splitted that
>> > into two components. Is that a Shishi KDC? It sounds like a bug.
>>
>> Client and server built from GNU Inetutils development head,
>> so libshishi is incomplete here. A quick search reveals that
>> "lib/encticketpart.c" and "lib/kdc.c" are accessing the ASN.1
>> descriptor "sname.name-string", so presumably either of these
>> files could be cheating.
>
> The following crude patch allows the exchange to proceed further.
Thanks for tracking it down, I solved it somewhat differently on git
master. I also added a regression test for this problem, as it was a
real bug.
> Now the procedure get as far as halting on failed HMAC verification.
> More investigation is needed.
The principal names are usually part of the salting, that's why those
things can fail. Retry with my patch, and if that doesn't work, try to
debug it further.
Thanks,
/Simon