Rekeying krbtgt and the behaviour of SSH and delegated credentials

John Devitofranceschi foonon at gmail.com
Sat Dec 3 22:59:44 EST 2016


> On Aug 10, 2016, at 11:29 AM, Michael Howe <michael.howe at it.ox.ac.uk> wrote:
> 
> Hi Greg,
> 
> On Mon, Aug 08, 2016 at 01:39:49PM -0400, Greg Hudson wrote:
>> On 08/05/2016 02:48 PM, Michael Howe wrote:
>>> When a client has an existing (forwardable) ticket, and the krbtgt is
>>> rekeyed with -keepold, most things keep working.  However, if that
>>> ticket is used with SSH using GSSAPIDelegateCredentials=yes it seems to
>>> make the forwarded ticket unusable - the KDC returns 'Bad encryption
>>> type' whenever it's used.  (I've not tested other applications that
>>> might forward credentials.)
>> 
> 
> I've tested with 1.14, and that does indeed fix things.  As it's only
> required on the KDCs, and 1.14 in Debian is trivially backportable to
> run on Debian stable, I'm happy to use it to solve the problem,
> particularly if the fix is invasive.  That said, I might raise a Debian
> bug anyway, so the maintainers are aware (and anyone else encountering
> the issue can find it more easily).
> 

We ran into this recently and found that renewed tickets were also unusable. They could not even be renewed. Our KDC is 1.13.2.

At least we know for certain that tickets using the old key have all expired now and  that we can purge the old keys! The last HANDLE_AUTHDATA error appeared just about 2*max_life hours after the change was made.

Perhaps a word about this in the “Changing the krbtgt key” section (all versions) of the online documentation would be in order?

jd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2393 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20161203/f5a6ed73/attachment-0001.bin


More information about the Kerberos mailing list