[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TGS revisited

From: Simon Josefsson
Subject: Re: TGS revisited
Date: Tue, 25 Apr 2006 23:36:23 +0200
User-agent: Gnus/5.110005 (No Gnus v0.5) Emacs/22.0.50 (gnu/linux)

Elrond <address@hidden> writes:

> On Tue, Apr 25, 2006 at 07:53:00PM +0200, Elrond wrote:
> [...]
>> > This could be the problem, from your earlier logs, I think your
>> > current kvno is 2.  It seems shishi hard code the authenticator
>> > checksum kvno to 1, which is bad.  I've fixed this in CVS, and I think
>> > the daily Debian packages has it.  Could you re-try?
>> Ahhh.
>> Yes, my heimdal keys have kvno > 1 sometimes, too.
>> Okay, will retry soon.
> Okay.
> Bad news: It did not help.
> Good news: The kvno isn't anymore in the TGS-REQ.

Thanks for testing!

> Okay, here's a quick list, what I can see:
> 1) The name-type issue still isn't fixed. (unknown/0, but
>    should be Prinicpal/1)

Yup, let's treat that as the next likely problem.

> 2) shishi has a sub-key and sequence number in the TGS-REQ.
>    heimdal doesn't. (no idea, if that is good or not.)

These are likely next candidates, although they shouldn't cause
problems.  However, Heimdal handle TGS-REQ with subkey's incorrectly,
so it isn't unlikely that w3k3 does something even worse.

The seq-number shouldn't cause problems, but we could try removing it,
it really shouldn't be there.

> 3) I'm starting to get the feeling, that something on my
>    box is somewhat mixed up.

I'm not so sure -- let's try to make the ASN.1 packets as similar as
possible first, to rule out any of those problems.  We have three
items above to deal with first.

>    a) If I find the time, I will compile it on another box
>       with access to the w2k3-kdc.
>    b) Do I have a realistic chance to verify checksums by
>       "hand"? Setting it to md5 in crypto-rc4 would be my
>       first step, so that I would "only" need to run md5 on
>       some parts of the packet.

Shouldn't be too hard, the checksum is computed over the DER encoding
of the req-body in the KDC-REQ.  There is a XXX nit in
shishi_ap_set_tktoptionsasn1usage() which you could watch out for.

> What next?

I'll try to fix the name-type issue first.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]