Skip Menu |
 

Subject: gc_frm_kdc doesn't adjust use_conf_ktypes in referrals case
If krb5_get_creds_from_kdc_opt() gets the final service ticket during referrals processing, it
does so with use_conf_ktypes = 1. This may be undesirable, as the application may have
requested to override the config file enctypes. The problem is that the referrals code should set
use_conf_ktypes = 1 when getting TGTs. There may need to be an explicit check to see if the
returned service ticket contains enctypes not requested by the application, and if so, to repeat
the request with use_conf_ktypes = 0.
From: Sam Hartman <hartmans@MIT.EDU>
To: krb5-bugs@MIT.EDU
Subject: krb5_set_default_tgs_enctypes does not work in Kerberos 1.6
Date: Sun, 29 Apr 2007 13:35:57 -0400


gss_set_allowable_enctypes eventually ends up causing
krb5_set_default_tgs_enctypes to be called on a krb5_context.

We've been seeing a problem on Debian for 1.6 and 1.6.1 where the NFS
rpc.gssd ends up with an aes context even though it only supports a
des context and requests same by calling gss_set_allowable_enctypes.


I walked through this in gdb and found that while tgs_ktypes is
getting set in the context passed into krb5_get_credentials it is not
being respected. The credentials coming back from
krb5_get_credentials are (in my case) aes. The request to the KDC
includes all the enctypes.

I suspect the referrals code interacts badly with use_conf_ktypes or
something like that.

I actually don't see how referrals could work well with
use_conf_ktypes because I think they have conflicting requirements.
Before fixing this bug it is important to first understand what is
going on and second have a discussion on krbdev about what should
happen instead. I don't think this will be a simple fix.

--Sam
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6
From: Tom Yu <tlyu@MIT.EDU>
Date: Sun, 29 Apr 2007 21:22:17 -0400
RT-Send-Cc:
This looks like a duplicate of ticket #4950. I think what we want to
do is if we get a final ticket via referrals with an enctype not in
the restricted application-requested set, retry with
use_conf_ktypes=old_use_conf_ktypes.
From: Sam Hartman <hartmans@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6
Date: Mon, 30 Apr 2007 04:07:27 -0400
RT-Send-Cc:
You need to somehow order the enctypes though so that enctypes that
end up in the restricted application set come first (and in their
order) when using conf_ktypes.

If you do that, this sounds reasonable.
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6
From: Tom Yu <tlyu@MIT.EDU>
Date: Mon, 30 Apr 2007 12:29:22 -0400
RT-Send-Cc:
Show quoted text
>>>>> "Sam" == Sam Hartman via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text
Sam> You need to somehow order the enctypes though so that enctypes that
Sam> end up in the restricted application set come first (and in their
Sam> order) when using conf_ktypes.

Show quoted text
Sam> If you do that, this sounds reasonable.

Are you suggesting this as an alternative to repeating the request for
the final ticket using conf_ktypes=0?
From: Sam Hartman <hartmans@mit.edu>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #5550] krb5_set_default_tgs_enctypes does not work in Kerberos 1.6
Date: Tue, 01 May 2007 12:16:36 -0400
RT-Send-Cc:
Show quoted text
>>>>> "Tom" == Tom Yu via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text
>>>>> "Sam" == Sam Hartman via RT <rt-comment@krbdev.mit.edu> writes:
Show quoted text
Sam> You need to somehow order the enctypes though so that
Sam> enctypes that end up in the restricted application set come
Sam> first (and in their order) when using conf_ktypes.

Show quoted text
Sam> If you do that, this sounds reasonable.

Show quoted text
Tom> Are you suggesting this as an alternative to repeating the
Tom> request for the final ticket using conf_ktypes=0?


No, in addition to. If the final result is one of the applications
enctypes you need to make sure that the right enctype was chosen.
That depends on ordering.
From: tlyu@mit.edu
Subject: SVN Commit
Based on Apple's patch, during the referrals loop, check to see if the
session key enctype of a returned credential for the final service is
among the enctypes explicitly selected by the application, and retry
with old_use_conf_ktypes if it is not.


Commit By: tlyu



Revision: 19748
Changed Files:
_U trunk/
U trunk/src/lib/krb5/krb/gc_frm_kdc.c
From: tlyu@mit.edu
Subject: SVN Commit
back-port r19748 from trunk

Based on Apple's patch, during the referrals loop, check to see if the
session key enctype of a returned credential for the final service is
among the enctypes explicitly selected by the application, and retry
with old_use_conf_ktypes if it is not.


Commit By: tlyu



Revision: 19751
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/krb/gc_frm_kdc.c