Skip Menu |

From: Todd Lubin <>
Date: Wed, 1 Aug 2018 09:17:51 -0400
Subject: krb5_get_credentials incorrectly matches user to user ticket
It seems like there is no way to instruct krb5_get_credentials not to use a cached user-to-user ticket for a particular service principal.

When you pass in KRB5_GC_USER_USER, there is care taken to ensure only a user-to-user ticket is selected. However, the lack of that flag doesn't prevent a user-to-user ticket from being selected from the cache.

It seems like either:
1) the lack of KRB5_GC_USER_USER should only match standard tickets
2) there should be some other flag introduced to express this desire
I am inclined towards option 1, because a user-to-user credential is
not useful if you are looking for a regular ticket.

However, it seems that we also tag constrained delegation (S4U2Proxy)
results with the is_skey flag, because kdcrep2creds() just checks
whether there was a second ticket in the request to set that flag.
So if we always apply the is_skey field match, we break caching of
S4U2Proxy results, causing a test failure ( runs t_s4u, which
fails in check_ticket_count()).

I think setting the is_skey field for S4U2Proxy results is a bug,
since the is_skey field is documented as "true if the ticket is
encrypted in another ticket's skey", and tickets resulting from
S4U2Proxy are encrypted in the service's long-term key. So I will
look into fixing that bug first.
Subject: git commit

Limit matching of user-to-user ccache credentials

In krb5int_cc_creds_match_request(), do not yield a user-to-user
credential if the caller is not looking for one; it would not be
useful when a normal service ticket (encrypted in the service key) is
required. Reported by Todd Lubin.
Author: Greg Hudson <>
Commit: 77ee8336c3f4d39d12146d8a631f9abd595d4cbb
Branch: master
src/lib/krb5/ccache/cc_retr.c | 5 +++++
src/tests/ | 8 ++++++++
2 files changed, 13 insertions(+), 0 deletions(-)