[1759] in Kerberos-V5-bugs
krb524d
daemon@ATHENA.MIT.EDU (Sam Hartman)
Mon Dec 25 01:58:43 1995
Date: Mon, 25 Dec 1995 01:58:37 -0500
From: Sam Hartman <hartmans@MIT.EDU>
To: krb5-bugs@MIT.EDU
I'll probably check in fixes for these later today, but in
case I don't get to it:
* krb524d should find a keyblock with a single DES enctype--possibly
by using krb5_dbe_find_enctype. Currently, it just steps through the
keys finding the highest version. This has a rather amusing failure
with the TGS key, because it hapilly finds the tripple-DES key, and
proceeds to encrypt a v4 ticket in this key. Needless to say, the TGS
doesn't try decrypting a v4 tgt with tripple-DES, so things don't work
very well.
* I don't believe the following code from k524init.c does what I (and
probably the original author) think it should. In particular, if a
tripple-DESkey is near the front of supported tgs enctypes, it gets a
v5 ticket with des3-md5 enctypeand fails. I suspect the credentials
cache routines are either buggy or not designed to deal with this
situation.This bug may turn out to be hard to fix, and I contend that
not using tripple-DES as the default TGS request type is not a
reasonable long-term solution. I will submit more details as I
investigate what is failing.
increds.client = client;
increds.server = server;
increds.times.endtime = 0;
increds.keyblock.enctype = ENCTYPE_DES_CBC_MD5;
--Sam
