On 5/7/25 13:36, Michael B Allen wrote:
Where does the MITK initiator select the session key vs the subkey?
RC4 is a "not newer" enctype, so krb5_gss_wrap() calls
make_seal_token_v1() with enc=ctx->enc.
ctx->enc is set up by kg_setup_keys() called at init_sec_context time.
It is called first unconditionally in kg_new_connection(), with the
initiator's subkey as set by krb5_mk_req_extended(). It may be called
again by mutual_auth() with the acceptor's subkey, but only if:
* Mutual authentication is performed
* The AP-REP EncAPRepPart included an acceptor subkey
* The RFC 4121 message format is used (not for RC4), OR
DCE-style authencation is in use, OR
the acceptor subkey has a different enctype from the initiator subkey
Bonus question: Is there a trick to getting gdb to work with gss-client
-pass?
I haven't needed any trick. Using the test suite, I can run (from the
top level of a build tree):
cd appl/gss-sample
PYTHONPATH=../../../src/util python3
../../../src/appl/gss-sample/t_gss_sample.py
# Open testlog in a text editor and search for "arcfour"
# from there, search for "-pass" and note the command number
# for me right now that is 156, but there have been some recent
# changes to the test script
PYTHONPATH=../../../src/util python3
../../../src/appl/gss-sample/t_gss_sample.py -v --debug=156
(gdb) break krb5_gss_wrap
(gdb) run
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
