On Friday, March 12, 2004 00:41:06 -0800 "Henry B. Hotz" <[EMAIL PROTECTED]> wrote:
At 8:54 PM -0500 3/11/04, Jeffrey Hutzelman wrote:On Thursday, March 11, 2004 16:38:46 -0800 "Henry B. Hotz" <[EMAIL PROTECTED]> wrote:
Where is the "real" description of the string-to-key functions, V4, AFS, and V5?AFS supports only the single-DES enctype. The AFS string-to-key function is not documented; you'll have to read the source.
All of these functions support input of essentially unlimited length.
Just looked at the OpenAFS code and some old KTH code. The former has a loop of some kind with no obvious limit (as you said). The latter uses a different algorithm for length <=8 from >8. In the latter case they have an array of size 512 which might imply a limit of 511 characters. That's big enough.
Ah, you noticed that.
Yes, the algorithm is different for input of length 8 or less -- once upon a time, passwords were simply truncated to 8 characters; this is consistent with what UNIX did at the time. Today, we use a different algorithm for passwords longer than 8 characters; the new algorithm uses des_cbc_cksum and will work on an arbitrarily large input. The OpenAFS client code uses buffers of size BUFSIZ to handle input and conversion of passwords, so it can't deal with a password larger than BUFSIZ-1 (and indeed, things close to that limit will get salted incorrectly, and so won't work consistently either). Note that BUFSIZ is a platform-defined limit; on my RH7.1 machine it's 8K.
Note that it sounds like the OpenAFS code you were looking at was actually src/des/strng_to_key.c, which implements the DES string-to-key function, not the AFS one. The AFS string-to-key code is in src/kauth/client.c.
-- Jeffrey T. Hutzelman (N3NHS) <[EMAIL PROTECTED]> Sr. Research Systems Programmer School of Computer Science - Research Computing Facility Carnegie Mellon University - Pittsburgh, PA
________________________________________________ Kerberos mailing list [EMAIL PROTECTED] https://mailman.mit.edu/mailman/listinfo/kerberos
