Skip Menu |

From: Nicolas Pouvesle <>
Subject: old_api_glue bug
Date: Tue, 2 Sep 2003 22:38:04 +0200
From my previous mail on :


When rshd/rlogind (and telnet too i think) call the function
krb5_verify_checksum (in lib/crypto/old_api_glue.c) key params are just key
value and key length. A krb5_keyblock is created but the key enctype is
So if the original checksum type was for example sha1-hmac (like it is done in
shishi) the function will failed with bad_enc_type (in a sub call it looks if
enctype is ok, but like i said it was not initialised so in fact random).

Like in your code the checksum type is always to RSA-MD5 this function won't
failed, but for some other types it will.


In the same function keyusage is set to 0, but for others types than RSA-MD5
it should not . For exemple i have put it to KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM
like all calls are made to verify AP_REQ. However keyusage in params seems to
be a better idea.

It seems it is a bug, not a something for compatibility.

Bye and thanks,

Nicolas Pouvesle