Sserver Decrypt integrity check failed
I am trying to implement mutual authentication with Kerberos. I downloaded krb5-1.10.2 and succeeded in getting sclient and sserver to talk to each other. The problem is sserver dies after a single client access. I am trying to add code to get sserver to continue listening and reply to many requests from a client.
The first request is successful. The second and subsequent requests produce the error message: sendauth rejected, error reply is: " Decrypt integrity check failed" This error is generated by src/lib/crypto/krb/decrypt.c, line 78. Line 78 is a pointer to a function I have not been able to track down. There are indications that this problem involves reusing a key. Yet, on the client machine, I have issued a kdestroy, the kinit to get a new key and run the client again. No luck. I don't understand where the key is reused or how to get a new one. Can anyone help with this? Can you point me to a sample client and server that exchange information both ways, over multiple sessions? I need the client and server to authenticate, then the client pass information to the server which processes it and sends a reply to the client. The client then gets new information and initiates a new session with the server. Like I said above, sserver is a good start, but it dies after a single exchange. |
I tracked the problem to a different area - src/lib/krb5/krb/rd_req_dec.c line 269. On the first pass through sserve, there is no auth_context->key. On subsequent passes, a key exists and fails. If I terminate sserver and restart it, again, there is no auth_context->key for the first request from sclient, but one appears for subsequent requests.
sclient is a one-time program. It runs and then terminates. I don't understand how it could not produce an auth_context->key on the first run and then produce it on subsequent runs. I commented out rd_req_dec.c lines 269 through 280, and 285. Now sserve processes multiple requests. This looks like something odd with the way sserve is written - that is creates an auth_context->key after its first request?? |
I added
retval = krb5_auth_con_init(context, &auth_context); before the krb5_recvauth() statement. This initialized auth_context and fixed the problem. |
All times are GMT -5. The time now is 11:37 PM. |