From assar@pdc.kth.se Mon Mar 26 01:02:47 2001
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id BAA01515
for <bugs@RT-11.mit.edu>; Mon, 26 Mar 2001 01:02:47 -0500 (EST)
Received: from ratatosk.pdc.kth.se (ratatosk.pdc.kth.se [193.10.159.41])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id BAA20908;
Mon, 26 Mar 2001 01:02:46 -0500 (EST)
Received: (from assar@localhost)
by ratatosk.pdc.kth.se (8.11.1/8.11.1) id f2Q62iG315661;
Mon, 26 Mar 2001 08:02:44 +0200 (CEST)
Message-Id: <200103260602.f2Q62iG315661@ratatosk.pdc.kth.se>
Date: Mon, 26 Mar 2001 08:02:44 +0200 (CEST)
From: assar@sics.se
To: krb5-bugs@mit.edu
Cc: hartmans@mit.edu
Subject: kdc accepts etypes in as-req that are not accepted in tgs-req
X-Send-Pr-Version: 3.99
select_session_keytype will give up krbtgt-tickets with enctypes that
will not be accepted when the poor client ties to use these tickets
grab your heimdal kinit, get a krbtgt from a MIT kdc, watch it having
des-cbc-md5 type, try to obtain an additional ticket, get unhelpful
error messages back
--- kdc_util.c~ Wed Feb 28 23:07:28 2001
+++ kdc_util.c Sun Mar 4 07:38:54 2001
@@ -1456,6 +1456,9 @@
if (!valid_enctype(ktype[i]))
continue;
+ if (!krb5_is_permitted_enctype(context, ktype[i]))
+ continue;
+
if (dbentry_supports_enctype(context, server, ktype[i]))
return ktype[i];
}
Received: from pacific-carrier-annex.mit.edu (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.7.21.83])
by rt-11.mit.edu (8.9.3/8.9.3) with ESMTP id BAA01515
for <bugs@RT-11.mit.edu>; Mon, 26 Mar 2001 01:02:47 -0500 (EST)
Received: from ratatosk.pdc.kth.se (ratatosk.pdc.kth.se [193.10.159.41])
by pacific-carrier-annex.mit.edu (8.9.2/8.9.2) with ESMTP id BAA20908;
Mon, 26 Mar 2001 01:02:46 -0500 (EST)
Received: (from assar@localhost)
by ratatosk.pdc.kth.se (8.11.1/8.11.1) id f2Q62iG315661;
Mon, 26 Mar 2001 08:02:44 +0200 (CEST)
Message-Id: <200103260602.f2Q62iG315661@ratatosk.pdc.kth.se>
Date: Mon, 26 Mar 2001 08:02:44 +0200 (CEST)
From: assar@sics.se
To: krb5-bugs@mit.edu
Cc: hartmans@mit.edu
Subject: kdc accepts etypes in as-req that are not accepted in tgs-req
X-Send-Pr-Version: 3.99
Show quoted text
>Number: 934
>Category: krb5-kdc
>Synopsis: kdc accepts etypes in as-req that are not accepted in tgs-req
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Mar 26 01:03:01 EST 2001
>Last-Modified:
>Originator: Assar Westerlund
>Organization:
heimdal hackers>Category: krb5-kdc
>Synopsis: kdc accepts etypes in as-req that are not accepted in tgs-req
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Mar 26 01:03:01 EST 2001
>Last-Modified:
>Originator: Assar Westerlund
>Organization:
Show quoted text
>Release: krb5-1.2.2
>Environment:
any>Environment:
Show quoted text
>Description:
select_session_keytype will give up krbtgt-tickets with enctypes that
will not be accepted when the poor client ties to use these tickets
Show quoted text
>How-To-Repeat:
grab your heimdal kinit, get a krbtgt from a MIT kdc, watch it having
des-cbc-md5 type, try to obtain an additional ticket, get unhelpful
error messages back
Show quoted text
>Fix:
--- kdc_util.c~ Wed Feb 28 23:07:28 2001
+++ kdc_util.c Sun Mar 4 07:38:54 2001
@@ -1456,6 +1456,9 @@
if (!valid_enctype(ktype[i]))
continue;
+ if (!krb5_is_permitted_enctype(context, ktype[i]))
+ continue;
+
if (dbentry_supports_enctype(context, server, ktype[i]))
return ktype[i];
}
Show quoted text
>Audit-Trail:
>Unformatted:
>Unformatted: