>>>>> "Eliza" == Khosrova, Eliza writes:

Eliza> We have a Kerberos client application that runs under Windows. The
Eliza> client application sent a valid AS-REQ to our KDC in Linux.
Eliza> The KDC successfully processed it and sent back AS-REP to our client
Eliza> application. However, when our application successfully decrypts
Eliza> The 'enc-part' field of AS-REP, it is of type EncTGSRepPart (application
Eliza> 26) instead of being of type EncASRepPart (application 25)
Eliza> as described in section 5.4.2 of RFC 1510 http://rfc.net/rfc1510.html .
Eliza> It seems like the AS-REP from our Linux is not conforming
Eliza> to RFC.

Please see RFC 4120, Section 5.4.2. It explains exactly this
situation.

---Tom
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

"Khosrova, Eliza" writes:
> Subject: HELP!! invalid AS-REP from Linux running MIT Kerberos V5
> Date: Tue, 11 Jul 2006 13:32:44 -0700
> Message-ID: <02954887D466F24D9F3FC9F47466DEF0075DA258@cdaexchan ge.sc.rd.canon.com>
> From: "Khosrova, Eliza"
> To:
>
> Hello,
>
> Please help us!
>
> We are having a problem when processing AS-REP received from our KDC in
> Linux environment.
>
> Our Linux Configuration
> ==================
> We are running a standard Fedora 5 distribution.
> The kernel version is:
> Linux version 2.6.17-1.2139_FC5
> (brewbuilder@hs20-bc2-4.build.redhat.com)
> We are running an MIT Kerberos V5 KDC, installed using the package:
> krb5-server - 1.4.3-4.1.i386.
>
> We have a Kerberos client application that runs under Windows. The
> client application sent a valid AS-REQ to our KDC in Linux.
> The KDC successfully processed it and sent back AS-REP to our client
> application. However, when our application successfully decrypts
> The 'enc-part' field of AS-REP, it is of type EncTGSRepPart (application
> 26) instead of being of type EncASRepPart (application 25)
> as described in section 5.4.2 of RFC 1510 http://rfc.net/rfc1510.html .
> It seems like the AS-REP from our Linux is not conforming
> to RFC.
>
> Our application currently has to work for both Windows and Linux and
> when receiving AS-REP from Windows, we are getting a
> correct application type (i.e. EncASRepPart). Could you please tell us
> if you have seen this problem and if so, how to resolve it?
>
> As a test, I changed our application to accept application 26 as valid
> one for AS-REP and was able to process AS-REP completely
> and extract TGT and the key. However, the way our application is
> written, it can't accept both so we need to see why our KDC in
> Linux is giving us the wrong type.
>
> Thank you in advance and hope to hear from someone out there very soon!
> Eliza

cool problem. I'll bet there's some interesting history there.

MIT kerberos source has these interesting comments:
src/lib/krb5/asn.1/krbasn1.h
/*
* Older versions of the Kerberos are always sending the
* enc_kdc_rep_part structure with an application tag of #26, instead
* of using the application tag of #25 (AS REP) or #26 (AS REP) as
* necessary. Worse yet, they will only accept a tag of #26, so we
* need to follow this for backwards compatibility. #defining
* KRB5_ENCKRB5KDCREPPART_COMPAT will preserve this wrong (but
* compatible) behavior.
*/
#define KRB5_ENCKRB5KDCREPPART_COMPAT

and
src/lib/krb5/asn.1/krb5_encode.c
#ifdef KRB5_ENCKRB5KDCREPPART_COMPAT
krb5_apptag(26);
#else
/* XXX WRONG!!! Should use 25 || 26, not the outer KDC_REP tags! */
if (rep->msg_type == KRB5_AS_REP) { krb5_apptag(ASN1_KRB_AS_REP); }
else if (rep->msg_type == KRB5_TGS_REP) { krb5_apptag(ASN1_KRB_TGS_REP); }
else return KRB5_BADMSGTYPE;
#endif

Looks like it's working as coded. All of this logic appears to have
been in MIT since at least kerberos "1.0" in, um, 1995 --presumably
the older clients mentioned in the comment ought not be there anymore
so KRB5_ENCKRB5KDCREPPART_COMPAT could be not defined.

Out of curiosity, why wouldn't you let your kerberos library there
do the equivalent of krb5_get_in_tkt or krb5_get_init_creds ?
If you're doing decode_krb5_as_rep or decode_krb5_enc_kdc_rep_part,
or checking enc_part2->msg_type, that seems wrong...

-Marcus Watts
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

On Tuesday, July 11, 2006 07:20:18 PM -0400 Marcus Watts
wrote:

> Looks like it's working as coded. All of this logic appears to have
> been in MIT since at least kerberos "1.0" in, um, 1995 --presumably
> the older clients mentioned in the comment ought not be there anymore
> so KRB5_ENCKRB5KDCREPPART_COMPAT could be not defined.

Last I checked, we actually had such broken clients _deployed_, in the form
of Cisco terminal servers. We run a Heimdal KDC, which has a configuration
option to control this behavior. We have to have it set to the
non-compliant mode, because of the broken clients.

-- Jeff
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos