LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Sserver Decrypt integrity check failed (https://www.linuxquestions.org/questions/linux-software-2/sserver-decrypt-integrity-check-failed-4175417074/)

cmccullo 07-16-2012 10:11 PM

Sserver Decrypt integrity check failed
 
I am trying to implement mutual authentication with Kerberos. I downloaded krb5-1.10.2 and succeeded in getting sclient and sserver to talk to each other. The problem is sserver dies after a single client access. I am trying to add code to get sserver to continue listening and reply to many requests from a client.

The first request is successful. The second and subsequent requests produce the error message: sendauth rejected, error reply is: " Decrypt integrity check failed"

This error is generated by src/lib/crypto/krb/decrypt.c, line 78. Line 78 is a pointer to a function I have not been able to track down.

There are indications that this problem involves reusing a key. Yet, on the client machine, I have issued a kdestroy, the kinit to get a new key and run the client again. No luck. I don't understand where the key is reused or how to get a new one.

Can anyone help with this? Can you point me to a sample client and server that exchange information both ways, over multiple sessions? I need the client and server to authenticate, then the client pass information to the server which processes it and sends a reply to the client. The client then gets new information and initiates a new session with the server. Like I said above, sserver is a good start, but it dies after a single exchange.

cmccullo 07-28-2012 04:30 PM

I tracked the problem to a different area - src/lib/krb5/krb/rd_req_dec.c line 269. On the first pass through sserve, there is no auth_context->key. On subsequent passes, a key exists and fails. If I terminate sserver and restart it, again, there is no auth_context->key for the first request from sclient, but one appears for subsequent requests.

sclient is a one-time program. It runs and then terminates. I don't understand how it could not produce an auth_context->key on the first run and then produce it on subsequent runs.

I commented out rd_req_dec.c lines 269 through 280, and 285. Now sserve processes multiple requests. This looks like something odd with the way sserve is written - that is creates an auth_context->key after its first request??

cmccullo 07-29-2012 02:22 PM

I added
retval = krb5_auth_con_init(context, &auth_context);
before the krb5_recvauth() statement. This initialized auth_context and fixed the problem.


All times are GMT -5. The time now is 11:37 PM.