[16874] in Kerberos-V5-bugs
[krbdev.mit.edu #9089] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Mar 27 14:27:47 2023
From: "Greg Hudson via RT" <rt-comment@krbdev.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.3-2-1893363-1679941636-1164.9089-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #9089":;
Date: Mon, 27 Mar 2023 14:27:16 -0400
MIME-Version: 1.0
Reply-To: rt-comment@krbdev.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Mon Mar 27 14:27:16 2023: Request 9089 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089 >
Add pac_privsvr_enctype string attribute
The KDC uses the first local TGT key for the privsvr and full PAC
checksums. If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer. This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
As a workaround, add a string attribute which can force the privsvr
key to use a specified enctype using key derivation when issuing
tickets to that principal. This attribute can be set on cross-realm
TGT entries when the target realm uses Active Directory and the local
TGT uses an aes-sha2 primary key.
https://github.com/krb5/krb5/commit/5af907156f8f502bbe268f0c62274f88a61261e4
Author: Greg Hudson <ghudson@mit.edu>
Commit: 5af907156f8f502bbe268f0c62274f88a61261e4
Branch: master
doc/admin/admin_commands/kadmin_local.rst | 9 ++++
src/include/kdb.h | 1 +
src/kdc/do_tgs_req.c | 6 +--
src/kdc/kdc_authdata.c | 7 ++-
src/kdc/kdc_util.c | 72 +++++++++++++++++++++++++++----
src/kdc/kdc_util.h | 6 ++-
src/tests/t_authdata.py | 19 +++++++-
7 files changed, 105 insertions(+), 15 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
