make sure the client creates a subkey; also make the server check that

it actually got a subkey, and if not use the session key

lib/libtelnet/kerberos5.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: kerberos5.c,v 1.8 2001/09/17 12:34:43 assar Exp $	*/
+/*	$NetBSD: kerberos5.c,v 1.9 2002/09/20 14:45:29 joda Exp $	*/
 
 /*-
  * Copyright (c) 1991, 1993
@@ -193,6 +193,8 @@ kerberos5_send(Authenticator *ap)
 	else
 		ap_opts = 0;
 
+	ap_opts |= AP_OPTS_USE_SUBKEY;
+    
 	ret = krb5_auth_con_init(telnet_context, &auth_context);
 	if (ret) {
 		if (auth_debug_mode) {
@@ -343,6 +345,28 @@ kerberos5_is(Authenticator * ap, unsigned char *data, int cnt)
 				    krb5_get_err_text(telnet_context, ret));
 			return;
 		}
+		if (key_block == NULL) {
+			ret = krb5_auth_con_getkey(context,
+						   auth_context,
+						   &key_block);
+		}
+		if (ret) {
+			Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
+			auth_finished(ap, AUTH_REJECT);
+			if (auth_debug_mode)
+				printf("Kerberos V5: "
+				       "krb5_auth_con_getkey failed (%s)\r\n",
+				       krb5_get_err_text(context, ret));
+			return;
+		}
+		if (key_block == NULL) {
+			Data(ap, KRB_REJECT, "no subkey received", -1);
+			auth_finished(ap, AUTH_REJECT);
+			if (auth_debug_mode)
+				printf("Kerberos V5: "
+				       "krb5_auth_con_getremotesubkey returned NULL key\r\n");
+			return;
+		}
 		if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
 			ret = krb5_mk_rep(telnet_context,
 			    auth_context, &outbuf);