[37802] in Kerberos
Re: Rekeying krbtgt and the behaviour of SSH and delegated credentials
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Dec 5 12:01:41 2016
To: John Devitofranceschi <foonon@gmail.com>,
Michael Howe <michael.howe@it.ox.ac.uk>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <78cb4fdc-b65f-6e1e-258c-740496ca2add@mit.edu>
Date: Mon, 5 Dec 2016 12:01:25 -0500
MIME-Version: 1.0
In-Reply-To: <631FDC1E-20FD-41E4-B7AD-39C424CF9F5B@gmail.com>
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 12/03/2016 10:59 PM, John Devitofranceschi wrote:
> We ran into this recently and found that renewed tickets were also unusable. They could not even be renewed. Our KDC is 1.13.2.
Thanks. In hindsight, this bug manifesting with renewed as well as
forwarded tickets should have been obvious as they are both ticket
modification requests, but I hadn't made the connection.
I have submitted a PR to add a regression test case for renewing across
krbtgt rekeys, and another PR to add caveats to the "Changing the krbtgt
key" documentation as you suggested (for this problem and for
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8519 ).
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
