[OpenAFS] Re: klog.krb5 incompatible with Heimdal 1.5.1?

Jeffrey Altman jaltman@secure-endpoints.com
Fri, 14 Oct 2011 08:02:22 -0400

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 10/14/2011 4:10 AM, Andreas Haupt wrote:
> Hi Andrew,
> this looks like a hint. Interestingly it doesn't match my observations
> with wireshark! I've attached the two AS-REP responses with the suffix
> -working & -notworking. The responses are identical (except for the KDC=

> ip and the encrypted data) ...=20
> is a Heimdal 1.2.1 KDC, is version 1.5.1
> Does this help any further?
> Cheers,
> Andreas


Wireshark cannot show you the type of the session key since that key is
only visible to parties that are capable of decrypting the encrypted
portions of the response.  It is the session key that must be des-cbc-*
and which is instead aes256-cts-hmac-sha1-96 in the 1.5.1 case.
klog.krb5 should be setting an explicit request for a des-cbc-crc
session key.  That is a bug which must be fixed.  It should be reported
to openafs-bugs@openafs.org.

Heimdal 1.5.1 should also be restricting the session key to one of the
encryption types that are known to the afs@IFH.DE principal.  That is
also a bug and should be reported on the heimdal mailing list.

Jeffrey Altman

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)