References: <20210201230539.GC2292@8d.no> Content-Disposition: inline X-RT-Original-Encoding: utf-8 X-RT-Interface: Web Content-Type: text/html; charset="utf-8" X-Mailer: MIME-tools 5.507 (Entity 5.507) Message-ID: Content-Transfer-Encoding: binary In-Reply-To: <20210201230539.GC2292@8d.no> MIME-Version: 1.0 RT-Send-CC: Content-Length: 2455 I'm closing this as it isn't a bug in MIT krb5 or something we can work around, but I'll describe what I understand of the situation and how I believe people can work around it.

To address CVE-2020-17049, Microsoft added a third PAC signature field containing a checksum of the ticket, to prevent a service from using its knowledge of the ticket encryption key to modify the ticket containing the PAC.  When a ticket is renewed, the  PAC ticket signature must be recomputed for the new ticket.  A non-updated KDC won't know to do this and will just blindly copy the new PAC signature, which will not be valid for the new ticket.

The CVE fix comes with a three-valued setting PerformTicketSignature.  At value 0 nothing changes (and the security issue isn't fixed), at value 1 the new signature is added but not required, and at value 2 it is required.  The idea is that you can set it to 1 while you are incrementally upgrading your KDCs and waiting for tickets to expire, and then to 2.

Because PerformTicketSignature=1 admits the possibility of non-updated KDCs in the realm which might not process the ticket signature correctly during renewal, Microsoft chose to simply not issue renewable tickets at this setting.  We believe that, at a minimum, this could have been done in a more targeted fashion.  The PAC ticket signature is not required or included in TGTs, and the vast majority of renewal operations are done on TGTs, so they could have continued to issue renewable TGTs (with no PAC ticket signature) but not renewable service tickets.  We have pointed this out to Microsoft and received tentative agreement, but we don't know if they will make any changes to the code.

At PerformTicketSignature=2, all KDCs in the realm are assumed to properly handle the PAC ticket signature, and therefore the KDCs will once again be willing to issue renewable tickets.  So, to work around this problem, finish upgrading all of the realm's KDCs and set PerformTicketSignature=2.

More at: https://support.microsoft.com/en-us/topic/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049-569d60b7-3267-e2b0-7d9b-e46d770332ab