[16538] in Kerberos-V5-bugs
[krbdev.mit.edu #8906] KDC can select local TGT key of unsupported
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Wed May 13 12:59:56 2020
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.4-90596-1589389177-362.8906-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8906":;
Date: Wed, 13 May 2020 12:59:38 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Wed May 13 12:59:37 2020: Request 8906 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: KDC can select local TGT key of unsupported enctype
Owner: Nobody
Requestors: ghudson@mit.edu
Status: open
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8906 >
If the first current key of the local krbtgt principal is of an unsupported
enctype, but there are other keys of the same enctype, an AS-REQ for a local
TGT will fail with the cryptic "HANDLE_AUTHDATA: < (mailto:peirce@WMICH.EDU)client>
for krbtgt/REALM@ (mailto:krbtgt/WMICH.EDU@WMICH.EDU)REALM, Bad encryption
type". This error has been observed in the wild (by Leonard Peirce at WMich)
while staging an upgrade from 1.14 to 1.18, with a single-DES first local TGT
key.
This happens is because get_local_tgt() (introduced in commit
570967e11bd5ea60a82fc8157ad7d07602402ebb) takes a shortcut, decrypting the
first key data entry in the principal entry instead of calling
krb5_dbe_find_enctype() as previous code did. Commit
44ad57d8d38efc944f64536354435f5b721c0ee0 made this shortcut mostly valid by
sorting key data, but there is still this edge case. When
make_signedpath_checksum() tries to use the local TGT key, it gets the
KRB5_BAD_ENCTYPE error.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
