Groups | Search | Server Info | Login | Register

Groups > comp.protocols.kerberos > #5410

Re: GSS unwrap fails using RC4 session key instead of subkey

Show all headers | View raw

On 5/7/25 13:36, Michael B Allen wrote:
> Where does the MITK initiator select the session key vs the subkey?
RC4 is a "not newer" enctype, so krb5_gss_wrap() calls 
make_seal_token_v1() with enc=ctx->enc.

ctx->enc is set up by kg_setup_keys() called at init_sec_context time. 
It is called first unconditionally in kg_new_connection(), with the 
initiator's subkey as set by krb5_mk_req_extended().  It may be called 
again by mutual_auth() with the acceptor's subkey, but only if:

* Mutual authentication is performed
* The AP-REP EncAPRepPart included an acceptor subkey
* The RFC 4121 message format is used (not for RC4), OR
   DCE-style authencation is in use, OR
   the acceptor subkey has a different enctype from the initiator subkey

> Bonus question: Is there a trick to getting gdb to work with gss-client
> -pass?

I haven't needed any trick.  Using the test suite, I can run (from the 
top level of a build tree):

   cd appl/gss-sample
   PYTHONPATH=../../../src/util python3 
../../../src/appl/gss-sample/t_gss_sample.py
   # Open testlog in a text editor and search for "arcfour"
   # from there, search for "-pass" and note the command number
   # for me right now that is 156, but there have been some recent
   # changes to the test script
   PYTHONPATH=../../../src/util python3 
../../../src/appl/gss-sample/t_gss_sample.py -v --debug=156
   (gdb) break krb5_gss_wrap
   (gdb) run

Back to comp.protocols.kerberos | Previous | Next | Find similar

Thread

Re: GSS unwrap fails using RC4 session key instead of subkey "Greg Hudson" <ghudson@mit.edu> - 2025-05-07 17:59 -0400

csiph-web