On 10/14/2011 4:10 AM, Andreas Haupt wrote: > Hi Andrew, > > this looks like a hint. Interestingly it doesn't match my observations > with wireshark! I've attached the two AS-REP responses with the suffix > -working & -notworking. The responses are identical (except for the KDC > ip and the encrypted data) ... > > 141.34.22.10 is a Heimdal 1.2.1 KDC, 141.34.22.11 is version 1.5.1 > > Does this help any further? > > Cheers, > Andreas
Andreas: Wireshark cannot show you the type of the session key since that key is only visible to parties that are capable of decrypting the encrypted portions of the response. It is the session key that must be des-cbc-* and which is instead aes256-cts-hmac-sha1-96 in the 1.5.1 case. klog.krb5 should be setting an explicit request for a des-cbc-crc session key. That is a bug which must be fixed. It should be reported to [email protected]. Heimdal 1.5.1 should also be restricting the session key to one of the encryption types that are known to the [email protected] principal. That is also a bug and should be reported on the heimdal mailing list. Jeffrey Altman
signature.asc
Description: OpenPGP digital signature
