[krbdev.mit.edu #8906] KDC can select local TGT key of unsupported enctype

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

[krbdev.mit.edu #8906] KDC can select local TGT key of unsupported enctype

Greg Hudson via RT

Wed May 13 12:59:37 2020: Request 8906 was acted upon.
 Transaction: Ticket created by [hidden email]
       Queue: krb5
     Subject: KDC can select local TGT key of unsupported enctype
       Owner: Nobody
  Requestors: [hidden email]
      Status: open
 Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8906 >

If the first current key of the local krbtgt principal is of an unsupported
enctype, but there are other keys of the same enctype, an AS-REQ for a local
TGT will fail with the cryptic "HANDLE_AUTHDATA: < (mailto:[hidden email])client>
for krbtgt/REALM@ (mailto:krbtgt/[hidden email])REALM, Bad encryption
type". This error has been observed in the wild (by Leonard Peirce at WMich)
while staging an upgrade from 1.14 to 1.18, with a single-DES first local TGT

This happens is because get_local_tgt() (introduced in commit
570967e11bd5ea60a82fc8157ad7d07602402ebb) takes a shortcut, decrypting the
first key data entry in the principal entry instead of calling
krb5_dbe_find_enctype() as previous code did. Commit
44ad57d8d38efc944f64536354435f5b721c0ee0 made this shortcut mostly valid by
sorting key data, but there is still this edge case. When
make_signedpath_checksum() tries to use the local TGT key, it gets the

krb5-bugs mailing list
[hidden email]