[OpenAFS] Re: klog.krb5 incompatible with Heimdal 1.5.1?

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 14 Oct 2011 08:02:22 -0400 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5613D6CC99D5284BFC4E16B5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 10/14/2011 4:10 AM, Andreas Haupt wrote:
> Hi Andrew,
>=20
> this looks like a hint. Interestingly it doesn't match my observations
> with wireshark! I've attached the two AS-REP responses with the suffix
> -working & -notworking. The responses are identical (except for the KDC=

> ip and the encrypted data) ...=20
>=20
> 141.34.22.10 is a Heimdal 1.2.1 KDC, 141.34.22.11 is version 1.5.1
>=20
> Does this help any further?
>=20
> Cheers,
> Andreas

Andreas:

Wireshark cannot show you the type of the session key since that key is
only visible to parties that are capable of decrypting the encrypted
portions of the response.  It is the session key that must be des-cbc-*
and which is instead aes256-cts-hmac-sha1-96 in the 1.5.1 case.
klog.krb5 should be setting an explicit request for a des-cbc-crc
session key.  That is a bug which must be fixed.  It should be reported
to openafs-bugs@openafs.org.

Heimdal 1.5.1 should also be restricting the session key to one of the
encryption types that are known to the afs@IFH.DE principal.  That is
also a bug and should be reported on the heimdal mailing list.

Jeffrey Altman



--------------enig5613D6CC99D5284BFC4E16B5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJOmCTTAAoJENxm1CNJffh46EQIANcX01yPRcYor0l6+hvdGClO
vM3nYI/MmHchl1tTDiVCFxiNexqz2A7m0lg1+dZxGf5JBCkx0lK5TMofu2g1qC6S
RmCnv2ApTBTt7LszbuUcNAr5WxDs7qp738N6JyV8nx5InSkulS6Gvz9dGjHNMb34
hjTvtpvvxAd5/8GVuisuRBx5e1C3hyO0x99T9zc9gT5+NuqR50DZZuJT/eb2reUB
xp3n4KM57so4WbF8lMFVg7mAbBiK4JtNNjdubfjpMK7vbK0HpAA3iUS1/nzTlN/J
p/2LNrrJDHL8mOc7NI5Hmq+SmEsuZNyVJmttR4UntolmgNb8xhPCm4JT1B/GEn8=
=nK9y
-----END PGP SIGNATURE-----

--------------enig5613D6CC99D5284BFC4E16B5--