Skip Menu |

From: "Oliver Freyermuth" <>
Subject: Wrong Encryption types shown in MIT Kerberos Ticket Manager on Windows
Date: Tue, 8 Dec 2020 23:55:06 +0100
Download (untitled) / with headers
text/plain 1.5KiB
Dear Kerberos developers,

fetching a Kerberos TGT from a KDC which allows for a modern session key encryption (e.g. aes265) but a different TKT encryption only (e.g. 3DES),
this is shown correctly with "klist -Afe", but in the graphical Kerberos Ticket Manager, the Session Key enctype is shown for both the Session Key and the Ticket enctype,
i.e. I get:
Session Key: aes265-cts-hmac-sha1-96 Ticket: aes265-cts-hmac-sha1-96
in the GUI, but:
Etype (skey, tkt): aes265-cts-hmac-sha1-96, des3-cbc-sha1
for the same ticket in the same ticket cache in klist.

I'll spare you screenshots (unless you request them) and point to the (likely) issue in the code (I don't have a Windows developer environment set up, so no guarantees that this is the error):

This is how klist works (correctly):
It calls "etype_string" twice, in different statements.

This is how leash/KrbListTickets works:
Note that it calls etype_string twice in the same statement to format the arguments to printf.

The problem lies in the fact that etype_string:
uses a static const char* buffer. Calling it twice within the same printf statement clobbers that static string,
so a wrong formatted string results.

Subject: git commit

Fix enctype display in Leash

In KrbListTickets.cpp, change etype_string() to write its output to a
caller-supplied buffer, so that the session key enctype name and
ticket enctype name don't occupy the same static buffer. Reported by
Oliver Freyermuth.
Author: Greg Hudson <>
Commit: 5a00af5da3bdd137a21f2b59612ba5ef6dba1396
Branch: master
src/windows/leash/KrbListTickets.cpp | 23 +++++++++--------------
1 files changed, 9 insertions(+), 14 deletions(-)