[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple krb5 salted des keys

On 28 Jun 2000, Johan Danielsson wrote:

> Derrick J Brashear <shadow@dementia.org> writes:
> Ok,
> I think I have fixed this now, but I did get_des_key differently.
> Instead of using options for this, it always tries to get all
> variants, and returns the best match. For the v4 case this means that
> it will return a v4 salted key if possible otherwise an afs3 salted
> and else any other (des) key. The kaserver case is the other way
> around. Is it important to not return a key with the `wrong' salt? The
> difference is only in the error message printed by kinit, but if you
> have kinit that can handle v5 salts you can still use it.

Now get_des_key seems to work correctly, but v5 authentication sometimes
gets a v4 salted key, which doesn't work for win2k machines, because
you're not applying the same care in getting des keys for v5 as for v4. 

I'd guess the right answer to this is to duplicate the code in
get_des_key, modify so keys of only the desired enctype can get retrieved,
and call it for des etypes.

I should be following up shortly with a patch which does this. I can't see
any way around it