[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: rudimentary preauth working

From: Simon Josefsson
Subject: Re: rudimentary preauth working
Date: Fri, 21 Apr 2006 15:30:41 +0200
User-agent: Gnus/5.110005 (No Gnus v0.5) Emacs/22.0.50 (gnu/linux)

Elrond <address@hidden> writes:

> On Thu, Apr 20, 2006 at 09:35:55PM +0200, Simon Josefsson wrote:
>> Elrond, debian packages of 0.0.24 with the recent pre-auth stuff is
>> available from:
> downloaded a few hours ago, rebuild, installed (except
> shishid).
>> If you can confirm that pre-auth at least sort-of work, I'll release
>> it.
> 1) After finding the option to enforce preauth in heimdal,
>    I can confirm that it works with my heimdal-kdc. ;)


> 2) w2k3 as kdc breaks (including a free(random-adress), see
>    next mail.)
> Here's a subset of the "-v" * 4 output (let me know, if you
> want it all):
>       Types of PA-DATA in KRB-ERROR: 11, 2, 15.
> ...
>       Unsupported pre-auth required
> Hope it helps you figure out, what goes on there.

It does.  It seems w2k3 kdc only support pre-auth types PA-ETYPE-INFO,
PA-ENC-TIMESTAMP and PA-PK-AS-REP_OLD.  INFO is almost the same as
INFO2, so I have added support for it now.  This seems to work against
MIT, which sends both ETYPE-INFO and ETYPE-INFO2.

There should be some logic to prefer INFO2 though.  Now it picks the
first one the server sends, which will be INFO for MIT.  This is only
important when AES keys are used, so I'll defer it for now.

Tomorrow's snapshot should handle INFO, but I don't have time to build
debian packages for it until Monday.  I think I will set up an
auto-builder for the debian packages too, it shouldn't be too much
work, and will help make sure the debian files are in good shape.

Thanks for testing!


reply via email to

[Prev in Thread] Current Thread [Next in Thread]