Subject: Re: [krbdev.mit.edu #2545] SVN Commit 
MIME-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset=us-ascii
From: "Henry B. Hotz" <hotz@jpl.nasa.gov>
In-Reply-To: <rt-2545-35385.15.4026232864175@krbdev.mit.edu>
Date: Fri, 27 Apr 2012 15:13:05 -0700
CC: Booker Bense <bbense@slac.stanford.edu>
Content-Transfer-Encoding: quoted-printable
Message-ID: <A5562D16-2EFF-4CB7-BDC5-AA73CA64BF0F@jpl.nasa.gov>
References: <rt-2545-35385.15.4026232864175@krbdev.mit.edu>
To: <rt-comment@krbdev.mit.edu>
RT-Send-Cc: 
Content-Length: 1191


On Apr 27, 2012, at 10:04 AM, Greg Hudson via RT wrote:

> Ensure null termination of AFS salts
> 
> Use krb5int_copy_data_contents_add0 when copying a pa-pw-salt or
> pa-afs3-salt value in pa_salt().  If it's an afs3-salt, we're going to
> throw away the length and use strcspn in krb5int_des_string_to_key,
> which isn't safe if the value is unterminated.
> 
> https://github.com/krb5/krb5/commit/f566fee75f2455d6e5e7ee4fcdf5a0d327808639
> Commit By: ghudson
> Revision: 25833
> Changed Files:
> U   trunk/src/lib/krb5/krb/preauth2.c

I'm guessing that this resolves the old problem with AFS-salted passwords longer than 8 characters?

Don't get me wrong, if something's in the code it ought to be correct, or removed, so good!  However we will have eliminated Kerberos 4 by the end of May, and with luck I expect to eliminate single-DES within a month or two after that (except for some service principals like "afs@JPL.NASA.GOV".  At that point I, personally, won't care any more.
------------------------------------------------------
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu