[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal and cybersafe compatibility

I used to work for the now-defunct company known as Cybersafe.

Regarding #3, this is a long-time bug where TGS reps get sent back with the
ASN.1 application tag of an AS rep (25 versus 26 I think).  I believe this was
a bug that cybersafe inherited from MIT, and never fixed in their KDC for
legacy reasons.  I believe Cybersafe clients were patched to accept either tag
however, as other KDCs like Microsoft were true to the RFC and had no legacy


windeleb@wellsfargo.com wrote:

> I am trying to get a Kerberized version of OpenSSH working in the cygwin
> environment under Windows.  Our KDC is a CyberSAFE implementation.
> I have been able to build the heimdal source in the cygwin environment with
> a little tweaking and have gotten OpenSSH to build against the heimdal
> libraries with few modifications. I have been able to get a TGT using the
> kinit that comes with the heimdal release.  However, when I try to connect
> to a server using Kerberos authentication in ssh, I run into a few problems:
> 1) By default, the connection to the KDC tries to connect via UDP and fails.
> It appears that the connection happens, but no data is sent back from the
> KDC (length == 0).  I have modified the code to force a connetion over TCP
> and it seems to work fine (connection is created and data sent back, though
> I haven't peeked at it yet).  Is there a way to specify this via a runtime
> configuration option rather than hard coding it?  The option will need to be
> available to the library itself since it will be called from OpenSSH.
> 2) After forcing the TCP connection, the client seems to be unable to parse
> the reply correctly.  Doing a bit of debugging, I have found that the
> checksums of the data don't match (CRC32).  Does anyone know whether
> CyberSAFE and Heimdal compute checksums differently?  I would think that if
> I can get a TGT from the KDC, a session ticket should be fine, too.
> 3) If I try to force the verification to return without errors, I get an
> asn1 parsing error that I've tracked down to the decode_EncTGSRepPart and
> decode_EncASRepPart functions.  I'm under the assumption that the data isn't
> getting parsed correctly in the first place, which is perhaps why item 2) is
> happening.  Any ideas?
> Any help would be appreciated.  I'm new to the list so let me know if this
> has been discussed before.  I didn't see a mail archive for this list and I
> haven't been able to track down any useful information on the web or in
> newsgroups.
> Best Regards.
> -brahm