Skip Menu |

To: krb5-bugs@MIT.EDU
Subject: ticket forwarding broken when TGS and app service have different enctypes
From: Ken Raeburn <raeburn@MIT.EDU>
Date: Fri, 09 May 2003 22:58:05 -0400
Download (untitled) / with headers
text/plain 1.1KiB
A heuristic added to the ticket-forwarding code to avoid problems
forwarding tickets to hosts without DES3 support has backfired. It
requested a forwarded ticket with the enctype of the session key for
talking to the service. However, if the session key and preferred
service key are, say, AES, but the TGS key is DES3 only, and we
(inappropriately) infer the supported key types from the KDB key
types, we'll decide that we can't get an AES TGT to forward. And
since that one enctype was specified in the list, we won't get any
other TGT either.

A better fix is probably to include the list of all supported
enctypes, but add the session key type and service key type to the
front of the list. (If they're in the client's permitted -- or should
it be supported? -- enctypes list; if not, I think other checks we do
on the client side will return an error, needlessly.) Make the two
enctypes we know the server supports be preferred, but not required.

In fact, the implementation on the server and KDC may support enctypes
the client doesn't know about, but I don't think we have any way to
express a willingness to accept a TGT with such a session key for

May want to modify get_cred_via_tkt interface to implement this; if so,
ticket 1429 might be able to take advantage of the revised API too.
Outcome of some discussion at yesterday's meeting:

For 1.3, just try with known-supported enctypes, and then try with our
supported enctype list. Don't change the APIs around right now.

Long term, fix the API and make one call.
Subject: CVS Commit
Try forwarding with no enctype restriction if forwarding with an
enctype restriction fails. This is sufficient for 1.3.

To generate a diff of this commit:

cvs diff -r5.393 -r5.394 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.20 -r5.21 krb5/src/lib/krb5/krb/fwd_tgt.c
Subject: CVS Commit
Download (untitled) / with headers
text/plain 1.5KiB
pullups from trunk. if there is still a memory management bug
relating to [1429] it should be opened as a separate bug.

To generate a diff of this commit:

cvs diff -r1.68.2.2 -r1.68.2.3 krb5/doc/ChangeLog
cvs diff -r1.13.2.1 -r1.13.2.2 krb5/doc/definitions.texinfo
cvs diff -r1.24 -r1.24.2.1 krb5/doc/install.texinfo
cvs diff -r1.348.2.7 -r1.348.2.8 krb5/src/include/ChangeLog
cvs diff -r1.135.2.3 -r1.135.2.4 krb5/src/include/k5-int.h
cvs diff -r5.136.2.1 -r5.136.2.2 krb5/src/lib/crypto/ChangeLog
cvs diff -r5.9 -r5.9.2.1 krb5/src/lib/crypto/etypes.c
cvs diff -r5.4 -r5.4.2.1 krb5/src/lib/crypto/pbkdf2.c
cvs diff -r1.4.2.1 -r1.4.2.2 krb5/src/lib/crypto/aes/ChangeLog
cvs diff -r1.1 -r1.1.2.1 krb5/src/lib/crypto/aes/aes_s2k.c
cvs diff -r1.18 -r1.18.2.1 krb5/src/lib/crypto/dk/ChangeLog
cvs diff -r1.6 -r1.6.2.1 krb5/src/lib/crypto/dk/dk.h
cvs diff -r1.6 -r1.6.4.1 krb5/src/lib/crypto/dk/dk_decrypt.c
cvs diff -r1.19 -r1.19.2.1
cvs diff -r1.2 -r1.2.2.1 krb5/src/lib/crypto/enc_provider/aes.c
cvs diff -r1.88 -r1.88.2.1 krb5/src/lib/kadm5/ChangeLog
cvs diff -r1.35 -r1.35.2.1 krb5/src/lib/kadm5/alt_prof.c
cvs diff -r5.378.2.7 -r5.378.2.8 krb5/src/lib/krb5/krb/ChangeLog
cvs diff -r5.20 -r5.20.2.1 krb5/src/lib/krb5/krb/fwd_tgt.c
cvs diff -r5.47.2.1 -r5.47.2.2 krb5/src/lib/krb5/krb/gc_frm_kdc.c
cvs diff -r5.68 -r5.68.2.1 krb5/src/lib/krb5/krb/init_ctx.c
cvs diff -r1.72.2.1 -r1.72.2.2
cvs diff -r1.76.2.1 -r1.76.2.2