[3189] in Kerberos-V5-bugs
krb5-kdc/934: kdc accepts etypes in as-req that are not accepted in tgs-req
daemon@ATHENA.MIT.EDU (assar@sics.se)
Mon Mar 26 01:03:10 2001
Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@MIT.EDU, assar@sics.se
Message-Id: <200103260602.f2Q62iG315661@ratatosk.pdc.kth.se>
Date: Mon, 26 Mar 2001 08:02:44 +0200 (CEST)
From: assar@sics.se
To: krb5-bugs@mit.edu
Cc: hartmans@mit.edu
>Number: 934
>Category: krb5-kdc
>Synopsis: kdc accepts etypes in as-req that are not accepted in tgs-req
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Mon Mar 26 01:03:01 EST 2001
>Last-Modified:
>Originator: Assar Westerlund
>Organization:
heimdal hackers
>Release: krb5-1.2.2
>Environment:
any
>Description:
select_session_keytype will give up krbtgt-tickets with enctypes that
will not be accepted when the poor client ties to use these tickets
>How-To-Repeat:
grab your heimdal kinit, get a krbtgt from a MIT kdc, watch it having
des-cbc-md5 type, try to obtain an additional ticket, get unhelpful
error messages back
>Fix:
--- kdc_util.c~ Wed Feb 28 23:07:28 2001
+++ kdc_util.c Sun Mar 4 07:38:54 2001
@@ -1456,6 +1456,9 @@
if (!valid_enctype(ktype[i]))
continue;
+ if (!krb5_is_permitted_enctype(context, ktype[i]))
+ continue;
+
if (dbentry_supports_enctype(context, server, ktype[i]))
return ktype[i];
}
>Audit-Trail:
>Unformatted:
