Skip Menu |

Download (untitled) / with headers
text/plain 3.1KiB
From Wed Feb 15 20:04:36 2006
Received: from (PCH.MIT.EDU []) by (8.9.3p2) with ESMTP
id UAA22000; Wed, 15 Feb 2006 20:04:36 -0500 (EST)
Received: from ( [])
by (8.12.8p2/8.12.8) with ESMTP id k1G145ei015563
for <>; Wed, 15 Feb 2006 20:04:05 -0500
by (8.12.8p2/8.12.8) with ESMTP id k1FMoaei028490
for <>; Wed, 15 Feb 2006 17:50:36 -0500
Received: from ( [])
by (8.12.4/8.9.2) with SMTP id
for <>; Wed, 15 Feb 2006 17:50:35 -0500 (EST)
Received: from (
[]) by (8.6.13/8.6.12) with
ESMTP id RAA14779; Wed, 15 Feb 2006 17:50:34 -0500
Message-Id: <>
X-send-pr-version: 3.99
Date: Wed, 15 Feb 2006 17:50:33 -0500
From: Marcus Watts <>
X-Spam-Score: -0.783
X-Spam-Flag: NO
X-Scanned-By: MIMEDefang 2.42
X-Mailman-Approved-At: Wed, 15 Feb 2006 20:02:07 -0500
X-Mailman-Version: 2.1.6
Precedence: list

Show quoted text
>Submitter-Id: net
>Originator: Marcus Watts
University of Michigan
Show quoted text
>Confidential: no
>Synopsis: 1.4.3 kdc fails with 1.2.8 client and des-cbc-crc:afs3 key
>Severity: serious
>Priority: high
>Category: krb5-kdc
>Class: sw-bug
>Release: 1.4.3
i686-pc-linux-gnu, linux 2.4.26, i686-pc-linux-gnu
System: Linux 2.4.26 #1 SMP Fri May 7 03:55:08 EDT 2004 i686 unknown unknown GNU/Linux
Architecture: i686

Show quoted text
The problem seems to be that 1.4.3 returns ETYPE_INFO and ETYPE_INFO2
PADATA in an AS-RESP. The old version only returns ETYPE_INFO for a
"preauth needed" error. 1.2.8 clients believe that ETYPE_INFO PADATA
supersedes AFS3_SALT PADATA, so when they see this in an AS-REQ, they
use the wrong string to key function and fail. Later clients see the
ETYPE_INFO2 data, and behave properly. The MIT 1.4.3 readme notes
the change, but fails to identify what it will break.
As-shipped MacOS 10.2.8 has similar behavior to 1.2.8 clients.
Show quoted text
on kdc running 1.4.3:
cpw -e des-cbc-crc:afs3 SOME-PRINCIPAL
modprinc -requires_preauth SOME-PRINCIPAL
on krb5 1.2.8 client:
observe output like this:
aardvark$ ./kinit testviii@DOGS.UMICH.EDU
Password for testviii@DOGS.UMICH.EDU:
kinit(v5): Password incorrect while getting initial credentials
with a 1.4.2 kdc, the client works fine.
Show quoted text
Apply this patch to kdc/kdc_preauth.c
This modifies etype_info handling to not return etype_info
in cases where the information would be just plain wrong
and confuses older clients (where s2k params would be returned).