On Apr 27, 2012, at 10:04 AM, Greg Hudson via RT wrote:

> Ensure null termination of AFS salts
> 
> Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
> pa-afs3-salt value in pa_salt().  If it's an afs3-salt, we're going to
> throw away the length and use strcspn in krb5int_des_string_to_key,
> which isn't safe if the value is unterminated.
> 
> https://github.com/krb5/krb5/commit/f566fee75f2455d6e5e7ee4fcdf5a0d327808639
> Commit By: ghudson
> Revision: 25833
> Changed Files:
> U   trunk/src/lib/krb5/krb/preauth2.c

I'm guessing that this resolves the old problem with AFS-salted passwords longer than 8 characters?

Don't get me wrong, if something's in the code it ought to be correct, or removed, so good!  However we will have eliminated Kerberos 4 by the end of May, and with luck I expect to eliminate single-DES within a month or two after that (except for some service principals like "afs@JPL.NASA.GOV".  At that point I, personally, won't care any more.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu