[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: 0.1m: krb4 is krb4, krb5 is krb5, never the twain shall meet?

I didn't intend that last to be private, so I'm moving this back onto
the list...

On  2 Sep, Ken Hornstein wrote:
|  >|  While I'll confess to having not that much experiences with Heimdal, do
|  >|  you really have V4 keys in your database, or do you have AFS-salted keys?
|  >
|  >AFS-salted, but in current versions of heimdal the salttype is
|  >dissociated from the enctype.  It is in this case the enctype that is
|  >the problem.
|  But that doesn't make any sense.  In reality, the _enctype_ is the
|  same between AFS, V4, and V5 ... it's the salt algorithm that changes.

Not true.  Enctypes, according to the code, are e.g. "des-cbc-crc"; the
problem is that krb5 authentication doesn't work unless there is a
(krb5-specific) des3-cbc-sha1 key defined.  The enctype *is* the same
for AFS and krb4, however.

| Sounds like either the KDC or the client isn't sending back the salt
| information to the client.

The krb5 auth code appears to try the default salt first, then the AFS

brandon s. allbery	   os/2,linux,solaris,perl	allbery@kf8nh.apk.net
system administrator	   kthkrb,heimdal,gnome,rt	  allbery@ece.cmu.edu
carnegie mellon / electrical and computer engineering			kf8nh
    We are Linux. Resistance is an indication that you missed the point.