Skip Menu |

Download (untitled) / with headers
text/plain 3.3KiB
From Thu Sep 2 19:09:51 1999
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU []) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id TAA11548 for <bugs@RT-11.MIT.EDU>; Thu, 2 Sep 1999 19:09:50 -0400
Received: from by MIT.EDU with SMTP
id AA16543; Thu, 2 Sep 99 19:09:39 EDT
Received: from ( [])
by (8.9.3/8.9.3) with ESMTP id TAA27069;
Thu, 2 Sep 1999 19:09:42 -0400 (EDT)
Received: (from chas@localhost)
by (8.8.5/8.8.5) id QAA06190;
Thu, 2 Sep 1999 16:09:37 -0700 (PDT)
Message-Id: <>
Date: Thu, 2 Sep 1999 16:09:37 -0700 (PDT)
From: Chas Williams <>
To: krb5-bugs@MIT.EDU
Subject: pa_sam() KRB5_SAM_SEND_ENCRYPTED_SAD doesnt work in 1.1 beta
X-Send-Pr-Version: 3.99

Show quoted text
>Number: 747
>Category: krb5-libs
>Synopsis: pa_sam()'s KRB5_SAM_SEND_ENCRYPTED_SAD doesnt ask for password
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Sep 02 19:10:00 EDT 1999
>Last-Modified: Tue Feb 22 16:46:01 EST 2000
>Originator: Chas Williams
hardly any, ask ken
Show quoted text
>Release: 1.1beta
System: IRIX borg 6.5 04151556 IP22

Show quoted text
when using securid as a h/w preauth method i see the
following behavior:

% ./kinit chas@WES.HPC.MIL
SAM Authentication
Challenge for Security Dynamics mechanism
SecurID Passcode:
kinit: Bad encryption type while getting initial credentials
note that it never actually asked for my password.
the problem seems to be in the following from krb5/krb5/preauth2.c

enc_sam_response_enc.sam_nonce = sam_challenge->sam_nonce;
if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
enc_sam_response_enc.sam_passcode = response_data;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {

note that it never asks for my password to use as a key
or even encrypts the preauth response.

Show quoted text
(see above, but you need a h/w preauth method that uses
Show quoted text
a previous fix from another site, was to do the following:

if (sam_challenge->sam_flags & KRB5_SAM_SEND_ENCRYPTED_SAD) {
* We need to use the password as part or all of the key.
* If as_key contains info, it should be the users pass phrase.
* If not, get the password before issuing the challenge.
if (as_key->length == 0) {
if (ret = ((*gak_fct)(context, request->client,
request->ktype[0], prompter, prompter_data,
salt, as_key, gak_data)))
enc_sam_response_enc.sam_passcode = response_data;
} else if (sam_challenge->sam_flags & KRB5_SAM_USE_SAD_AS_KEY) {
if (sam_challenge->sam_nonce == 0) {

however, this doesnt work anymore since the latest changes
to the crypto library.
Show quoted text

Responsible-Changed-From-To: gnats-admin->krb5-unassigned
Responsible-Changed-By: raeburn
Responsible-Changed-When: Tue Feb 22 16:45:58 2000

Show quoted text