Skip Menu |
 

From: ghudson@mit.edu
Subject: SVN Commit

Try harder to make keytab-based AS requests work

When making a keytab-based AS request, a client has to choose between
sending its reply key enctype preference list (the enctypes it has in
the keytab) and its session key enctype preference list (all of the
enctypes it supports). Heimdal and MIT krb5 1.11 clients send the
reply key preference list. If this list doesn't overlap with the
server principal keys (say, because the krbtgt principal has only a
DES key), then the AS request will fail.

Try to make this work by making the KDC optimistically pick the first
permitted enctype in the request as the session key, even though it
can't be certain that other KDCs in the realm support that enctype.

Make sure to exercise this case in t_keytab.py by doing a multipass
keytab kinit test.

https://github.com/krb5/krb5/commit/18b02f3e839c007fff54fc9b693f479b7563ec73
Author: Greg Hudson <ghudson@mit.edu>
Commit: 18b02f3e839c007fff54fc9b693f479b7563ec73
Branch: master
src/kdc/kdc_util.c | 17 ++++++++++++++++-
src/tests/t_keytab.py | 7 ++++---
2 files changed, 20 insertions(+), 4 deletions(-)
This workaround may be a bit incomplete for the target audience: a realm
which is migrating off DES, has stopped issuing DES keys for services,
but hasn't updated the krbtgt principal to have anything other than a DES
key.

If this is true, the realm may not have updated kadmin/changepw to
contain additional enctypes either. This ticket's change will make kinit
-k work in such a scenario, but won't make k5srvutil change work.
From: ghudson@mit.edu
Subject: SVN Commit

Include all default etypes in gic_keytab requests

Revert 18b02f3e839c007fff54fc9b693f479b7563ec73 in the KDC. Instead,
when making an initial request with a keytab, transmit the whole
default_tkt_enctypes list, but sorted with the enctypes we have in the
keytab first. That way the KDC should prefer enctypes which we have
keys for (for both reply key and session key), but the other enctypes
are still available for use as ticket session keys.

https://github.com/krb5/krb5/commit/61659df1036d1ad6d6891293f5949e720a2028f7
Author: Greg Hudson <ghudson@mit.edu>
Commit: 61659df1036d1ad6d6891293f5949e720a2028f7
Branch: master
src/kdc/kdc_util.c | 14 ----------
src/lib/krb5/krb/gic_keytab.c | 56 ++++++++++++++++++++++-------------------
2 files changed, 30 insertions(+), 40 deletions(-)
Nico also suggests making gic_keytab use encrypted timestamp preauth
(http://mailman.mit.edu/pipermail/krbdev/2012-July/010999.html), and
making the KDC use the encrypted timestamp key as the reply key. These
are both reasonable ideas, but the former may have some edge cases.