[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pkinit as_rep



Douglas E. Engert wrote:
> 
> 
> Matthew N. Andrews wrote:
> 
>> Douglas E. Engert wrote:
>>
>>> OK, I will send an answer to the list as well.
>>>
>>> Matthew N. Andrews wrote:
>>>
>>>> Ok, after remembering that gcc defaults to -O2 I was able to get a 
>>>> -O0 build, and see what's going on.
>>>>
>>>> if I look at the authentication exchange with ethereal, I see that 
>>>> the AS-REQ message has a padata section with a type of 
>>>> PA-PK-AS-REP(15).
>>>
>>>
>>>
>>>
>>> You mean the response to the request has type 15? The request should 
>>> be 14.
>>>
>> no, I mean the request itself has type 15.
> 
> 
> That sounds strange, as all the old documents have PA-PK-AS-REQ as 14,
> and PA-PK-AS-REP as 15.
> 
>>
>> if I place "win2k_pkinit = false" in my realm's stanza of the [realms] 
>> section of the krb5.conf then the request has type 14, but the default 
>> is type 15. presumably for win2k brokenness compatability.
>>
> 
> I am using heimdal-20050405 against a Win2K kdc, with win2k_pkinit = yes
> set in the krb5.conf with the mod I told you about in a previous note.
> The PA-PK_AS_REP is 15.

If you look at ethereal, what do you see as the padata type in the 
request packet?

> 
> 
>> -Matt Andrews
>>