Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) X-RT-Original-Encoding: iso-8859-1 Content-Length: 3373 From krb5-bugs-incoming-bounces@PCH.mit.edu Wed Oct 5 20:09:28 2005 Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP id UAA16866; Wed, 5 Oct 2005 20:09:28 -0400 (EDT) Received: from pch.mit.edu (pch.mit.edu [127.0.0.1]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9608qpx018871 for ; Wed, 5 Oct 2005 20:08:52 -0400 Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83]) by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id j9608ppx018868 for ; Wed, 5 Oct 2005 20:08:51 -0400 Received: from brmea-mail-3.sun.com (brmea-mail-3.Sun.COM [192.18.98.34]) j9608n7d017695 for ; Wed, 5 Oct 2005 20:08:49 -0400 (EDT) Received: from centralmail1brm.Central.Sun.COM (centralmail1brm.central.sun.com [129.147.62.1]) by brmea-mail-3.sun.com (8.12.10/8.12.9) with ESMTP id j9608m1L014563 for ; Wed, 5 Oct 2005 18:08:48 -0600 (MDT) Received: from alton.central.sun.com (alton.Central.Sun.COM [129.153.128.101]) with ESMTP id j9608mZv019875 for ; Wed, 5 Oct 2005 18:08:48 -0600 (MDT) Received: from alton.central.sun.com (localhost [127.0.0.1]) j9608l01009551 for ; Wed, 5 Oct 2005 19:08:47 -0500 (CDT) Received: (from willf@localhost) by alton.central.sun.com (8.13.4+Sun/8.13.3/Submit) id j9608lfs009550; Wed, 5 Oct 2005 19:08:47 -0500 (CDT) Date: Wed, 5 Oct 2005 19:08:47 -0500 (CDT) Message-Id: <200510060008.j9608lfs009550@alton.central.sun.com> To: krb5-bugs@mit.edu From: william.fiveash@sun.com X-send-pr-version: 3.99 X-Spam-Score: -1.366 X-Spam-Flag: NO X-Scanned-By: MIMEDefang 2.42 X-BeenThere: krb5-bugs-incoming@mailman.mit.edu X-Mailman-Version: 2.1 Precedence: list Reply-To: william.fiveash@sun.com Sender: krb5-bugs-incoming-bounces@PCH.mit.edu Errors-To: krb5-bugs-incoming-bounces@PCH.mit.edu >Submitter-Id: net >Originator: William Fiveash >Organization: Sun Microsystems >Confidential: no >Synopsis: AS_REP padata missing PA-ETYPE-INFO >Severity: non-critical >Priority: low >Category: krb5-libs >Class: sw-bug >Release: krb5-1.4.2 >Environment: System: SunOS alton 5.10 Generic_118822-18 sun4u sparc SUNW,Sun-Blade-1000 Architecture: sun4 >Description: The KDC is returning only PA-ETYPE-INFO2 in the AS_REP even though the AS_REQ only contains des-cbc-crc. That appears to violate the text in rfc4120 below: When the AS server is to include pre-authentication data in a KRB-ERROR or in an AS-REP, it MUST use PA-ETYPE-INFO2, not PA-ETYPE- INFO, if the etype field of the client's AS-REQ lists at least one "newer" encryption type. Otherwise (when the etype field of the client's AS-REQ does not list any "newer" encryption types), it MUST send both PA-ETYPE-INFO2 and PA-ETYPE-INFO (both with an entry for each enctype). A "newer" enctype is any enctype first officially specified concurrently with or subsequent to the issue of this RFC. The enctypes DES, 3DES, or RC4 and any defined in [RFC1510] are not "newer" enctypes. Hint, look at return_padata() in kdc_preauth.c and etype-info instance of the preauth_systems[] (no return_padata function defined). >How-To-Repeat: Set default_tkt_enctypes = des-cbc-crc and kinit. >Fix: See the description.