[37800] in Kerberos
Re: Rekeying krbtgt and the behaviour of SSH and delegated credentials
daemon@ATHENA.MIT.EDU (John Devitofranceschi)
Sat Dec 3 23:50:36 2016
From: John Devitofranceschi <foonon@gmail.com>
Message-Id: <631FDC1E-20FD-41E4-B7AD-39C424CF9F5B@gmail.com>
Mime-Version: 1.0 (Mac OS X Mail 10.1 \(3251\))
Date: Sat, 3 Dec 2016 22:59:44 -0500
In-Reply-To: <20160810152959.GF2930@youthful-indiscretion.oucs.ox.ac.uk>
To: Michael Howe <michael.howe@it.ox.ac.uk>
Cc: kerberos@mit.edu
Content-Type: multipart/mixed; boundary="===============1695546488068713265=="
Errors-To: kerberos-bounces@mit.edu
--===============1695546488068713265==
Content-Type: multipart/signed;
boundary="Apple-Mail=_5C6AFADF-0C94-400C-A289-F7F3A48E7A5D";
protocol="application/pkcs7-signature"; micalg=sha1
--Apple-Mail=_5C6AFADF-0C94-400C-A289-F7F3A48E7A5D
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
> On Aug 10, 2016, at 11:29 AM, Michael Howe <michael.howe@it.ox.ac.uk> =
wrote:
>=20
> Hi Greg,
>=20
> On Mon, Aug 08, 2016 at 01:39:49PM -0400, Greg Hudson wrote:
>> On 08/05/2016 02:48 PM, Michael Howe wrote:
>>> When a client has an existing (forwardable) ticket, and the krbtgt =
is
>>> rekeyed with -keepold, most things keep working. However, if that
>>> ticket is used with SSH using GSSAPIDelegateCredentials=3Dyes it =
seems to
>>> make the forwarded ticket unusable - the KDC returns 'Bad encryption
>>> type' whenever it's used. (I've not tested other applications that
>>> might forward credentials.)
>>=20
>=20
> I've tested with 1.14, and that does indeed fix things. As it's only
> required on the KDCs, and 1.14 in Debian is trivially backportable to
> run on Debian stable, I'm happy to use it to solve the problem,
> particularly if the fix is invasive. That said, I might raise a =
Debian
> bug anyway, so the maintainers are aware (and anyone else encountering
> the issue can find it more easily).
>=20
We ran into this recently and found that renewed tickets were also =
unusable. They could not even be renewed. Our KDC is 1.13.2.
At least we know for certain that tickets using the old key have all =
expired now and that we can purge the old keys! The last =
HANDLE_AUTHDATA error appeared just about 2*max_life hours after the =
change was made.
Perhaps a word about this in the =E2=80=9CChanging the krbtgt key=E2=80=9D=
section (all versions) of the online documentation would be in order?
jd=
--Apple-Mail=_5C6AFADF-0C94-400C-A289-F7F3A48E7A5D
Content-Disposition: attachment;
filename=smime.p7s
Content-Type: application/pkcs7-signature;
name=smime.p7s
Content-Transfer-Encoding: base64
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIF6DCCBeQw
ggPMoAMCAQICAxBgkDANBgkqhkiG9w0BAQ0FADB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQL
ExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3Jp
dHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZzAeFw0xNTAzMTQxNDM4MzlaFw0x
NzAzMTMxNDM4MzlaMIGFMR4wHAYDVQQDExVKb2huIERldml0b2ZyYW5jZXNjaGkxITAfBgkqhkiG
9w0BCQEWEmpkdmZAb3B0b25saW5lLm5ldDEfMB0GCSqGSIb3DQEJARYQamR2ZkBob3RtYWlsLmNv
bTEfMB0GCSqGSIb3DQEJARYQZm9vbm9uQGdtYWlsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAK4hgmTqZnFEjGB/yk+/J5guSzz71ZVuemKLvEmRvDznUHJ/o8+NqgdWc87WILzB
8cCgfvjR8gtCe555md2xYof9NrNuFShKfTpP5mvG/ny4RYn1uq6FVgY5qBgz+4UDzE3W1ZniRIT6
EruOeawVpsl03AmaSbQNPXZTpxr6BiIfdnhEexuxXdJX9ytMM2yf20U/L/hmIuu+ML9bvXdsJNHn
iytTxDxB4v1BaplLKnQIvr8nvP8MuaOSUDP6SrAOkXgLFG0lqB6YLSW66aj1i1YHkQDK95iO+X0C
3l7iLJvCiVnG/PTFNdu2mZrJ0KzVzI0SJwvH4v0qSMcc8WaQ55cCAwEAAaOCAWYwggFiMAwGA1Ud
EwEB/wQCMAAwVgYJYIZIAYb4QgENBEkWR1RvIGdldCB5b3VyIG93biBjZXJ0aWZpY2F0ZSBmb3Ig
RlJFRSBoZWFkIG92ZXIgdG8gaHR0cDovL3d3dy5DQWNlcnQub3JnMA4GA1UdDwEB/wQEAwIDqDBA
BgNVHSUEOTA3BggrBgEFBQcDBAYIKwYBBQUHAwIGCisGAQQBgjcKAwQGCisGAQQBgjcKAwMGCWCG
SAGG+EIEATAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9vY3NwLmNhY2VydC5v
cmcwMQYDVR0fBCowKDAmoCSgIoYgaHR0cDovL2NybC5jYWNlcnQub3JnL3Jldm9rZS5jcmwwQQYD
VR0RBDowOIESamR2ZkBvcHRvbmxpbmUubmV0gRBqZHZmQGhvdG1haWwuY29tgRBmb29ub25AZ21h
aWwuY29tMA0GCSqGSIb3DQEBDQUAA4ICAQCqiwk6dIVSS4Q7t3vXmhNrORxhHD2R44a2h8wd43+P
x19y59yZe9Jio4N7gFTJ2QLrxE6hDbBlJBZ7EgVLfDVqBWVGt2nvERDrCtzPr/uze2KmPEA1Smpk
sLAuWp2gDUKflWNL2NLInGCsuqdYkfqxCB1Kc+ws6DhZtHt83SjktGodh66pBTRrpfDSUEsY/3VR
q+kgjjQyNIYWyi2rsJQ7gP/e8YfGJC43TYwpfpcRM/rKwanUVgSMVwhSow9cQ3m3HYGyHB3+7WcV
orsP9u1I57FXyIHMKWmjmLNizzhVY05pM2Cd/T/7PS3ZNig53kclY4hx/XwRPjY3aHahhZacNKh+
96ImmxgJljJfQkc9avy7zZnsAb4neUUiYOacS1y5wPhGzIYor5gy6nQYT2g/nE6bAsaljNJICHWD
TwUuQqYUq39eN5RUGSxUVPM+sQts/BEAFh2Autk/nM6HWsO/bqpdAJNtE4w8zUFB3Wo72DAauA08
ADIw5UOulnmEqb1p2HlOYy1WdGy5xnuoG6EpppRujEC/a6gWcRvdCj4zrRR+dc9I5sohl3zyikff
I583wuX04H4d81EcLgrJGzUjIvQVSpDCdqgUrG8yOqnWzekZwIWLFwsr17h5vRmE4bruvUsAD4iW
J+fn5bezyENj6haxbkVqhGA98EjWh+0ehjGCAzMwggMvAgEBMIGAMHkxEDAOBgNVBAoTB1Jvb3Qg
Q0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZQ0EgQ2VydCBTaWdu
aW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9ydEBjYWNlcnQub3JnAgMQYJAwCQYF
Kw4DAhoFAKCCAYcwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTYx
MjA0MDM1OTQ0WjAjBgkqhkiG9w0BCQQxFgQUNaZarwfjP3a1S7Wk6fCVV3fkSMkwgZEGCSsGAQQB
gjcQBDGBgzCBgDB5MRAwDgYDVQQKEwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2Vy
dC5vcmcxIjAgBgNVBAMTGUNBIENlcnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEW
EnN1cHBvcnRAY2FjZXJ0Lm9yZwIDEGCQMIGTBgsqhkiG9w0BCRACCzGBg6CBgDB5MRAwDgYDVQQK
EwdSb290IENBMR4wHAYDVQQLExVodHRwOi8vd3d3LmNhY2VydC5vcmcxIjAgBgNVBAMTGUNBIENl
cnQgU2lnbmluZyBBdXRob3JpdHkxITAfBgkqhkiG9w0BCQEWEnN1cHBvcnRAY2FjZXJ0Lm9yZwID
EGCQMA0GCSqGSIb3DQEBAQUABIIBAKqdkQBbpJ/D8ccqRR8nnAKxvvT88kJ0bCql4i2B8qUrwALf
RCIQRABdtufoY5fQx1EiZ7PmSKpg0w8V5QJlcsumHXM5R4w6yetuA51JqP0f31pk29YzEz4cxhJ1
1bMhZqa8imYbnAWQv25X1VR+6hhAHU02ADdOf4J/FI1xZw/Fu8QVZs6v2nb87FTYi19sJGgNCeBv
DZ2hPBPdLoR8tk/d5JNEHGaOlq6/VR79fwTFMtGfz4ksu4pS9786ck2+hAr+RP0eGSpq68lLm972
WJ2r6p368xcrWk+5WiN/EA2gaId/sP1nRaoW3eKnL7/R13lhgFED9mU02lu2+Ki2UAkAAAAAAAA=
--Apple-Mail=_5C6AFADF-0C94-400C-A289-F7F3A48E7A5D--
--===============1695546488068713265==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============1695546488068713265==--
