[OpenAFS] Re: klog.krb5 incompatible with Heimdal 1.5.1?

Harald Barth haba@kth.se
Thu, 13 Oct 2011 22:19:21 +0200 (CEST)


> # ./sbin/kadmin -l
> kadmin> get afs/localcell
> [...]
>             Keytypes: des-cbc-md5(pw-salt)[2], des-cbc-md4(pw-salt)[2], des-cbc-crc(pw-salt)[2]
> [...]
> 
> $ gdb --args ./klog
> [...]
> (gdb) break klog.c:738
> (gdb) run
> [...]
> adeason@LOCALCELL's Password:
> Breakpoint 1, CommandProc (as=0x808d008, arock=0x0) at klog.c:738
> 738             atoken->startTime = afscred->times.starttime;
> (gdb) print afscred[0]
> $1 = {client = 0x80964a0, server = 0x80966a8, session = {keytype = 18, keyvalue = {
>       length = 32, data = 0x8096e68}}, times = {authtime = 1318531499,
> 
> keytype 18 is aes256-cts-hmac-sha1-96.

Strange. If that keytype is not there, it should not be given back.

> klog is buggy in that it assumes
> it gets a key of 8 bytes, and if we get something larger, it overwrites
> other stuff in the ticket, including the kvno, which is why the "bad
> kvno" error is what you see.

Ah, asumptions, asumptions.

> If I just change the KDC to 1.2.1 (and that is the only thing I change),
> I get this at the same breakpoint:
> 
> (gdb) print afscred[0]
> $1 = {client = 0x80964a0, server = 0x80971e0, session = {keytype = 3,
> keyvalue = {
>       length = 8, data = 0x80965c0}}, times = {authtime = 1318531583,
> 
> keytype 3 is des-cbc-md5.

Why does it work then anyway? Shouldn't it be des-cbc-crc for AFS? Or does
it not matter here? 

> klog doesn't specify the enc type (for any code path, as far as I can
> tell).

Shouldn't it?

> shouldn't the kdc be
> restricted to the enctypes that actually exist for the princ

Sounds reasonable.

Harald.