[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: windows interop

To: heimdal-discuss@sics.se, "Henry B. Hotz" <hotz@jpl.nasa.gov>
Subject: Re: windows interop
From: Andy Polyakov <appro@fy.chalmers.se>
Date: Fri, 14 Dec 2007 10:04:21 +0100
In-Reply-To: <2E539AE1-4C10-4BF5-BB47-A4DE50C240E9@jpl.nasa.gov>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <47615425.4000009@fy.chalmers.se> <2E539AE1-4C10-4BF5-BB47-A4DE50C240E9@jpl.nasa.gov>
Reply-To: heimdal-discuss@sics.se, Andy Polyakov <appro@fy.chalmers.se>
User-Agent: Thunderbird 2.0.0.9 (X11/20071031)

>> In other words, [the way I see it] rc4-hmac should unconditionally go 
>> unsalted.
> 
> IIRC the enctype is defined that way.

That is correct. So one can even strengthen the statement and say 
"rc4-hmac *must* go unsalted," right?

> You're just asking that it be 
> (accurately) reported that way in the PA-ENCTYPE-INFO.

Well, PA-ENCTYPE-INFO is not the only place where [non-existing in this 
case] salt appears, it's exposed in PA-PW-SALT on wire and there is a 
hint in 'get principal' in kadmin.

> Doesn't sound like a big deal to fix.  Do you have a patch?

Well, I do have kludgy patch that omits it from PA-ENCTYPE-INFO (that's 
how I could confirm what it takes to make XP negotiate rc4-hmac with 
Heimdal), but I'd like to see consistency or at least consensus on how 
to address this problem. As mentioned in previous post I reckon that 
ideally database itself should be corrected (so that 'get principal' 
shows 'archfour-hmac-md5(null)' or something), nor should key generation 
procedure pass salt downstream for enc_type in question. Well, I realize 
that it might be to much to ask... Cheers. A.

Follow-Ups:
- Re: windows interop
  - From: Andy Polyakov <appro@fy.chalmers.se>

References:
- windows interop
  - From: Andy Polyakov <appro@fy.chalmers.se>
- Re: windows interop
  - From: "Henry B. Hotz" <hotz@jpl.nasa.gov>

Prev by Date: Re: GSSAPI and realm lookup hook
Next by Date: Re: CAC authentication to @mil via subordinate domain w/ heimdal
Prev by thread: Re: windows interop
Next by thread: Re: windows interop
Index(es):
- Date
- Thread