CVE-2020-17049

Jeffrey Altman jaltman at secure-endpoints.com
Tue Nov 17 12:53:16 EST 2020


On 11/17/2020 12:16 PM, Robbie Harwood (rharwood at redhat.com) wrote:
> Luke Hebert <lhebert at cloudera.com> writes:
> 
>> Hi,
>> Disabling service
>> ticket and tgt renewability is not great and it obviously breaks long
>> running processes that rely on renewability of these items.

Just to set the record straight, Kerberos service tickets have never
been renewable unless they were obtained as initial tickets.  Only
TGTs are renewable.  This is true for MIT and Heimdal as well as
Active Directory.

>>>> *How does this patch affect third-party Kerberos clients?*
>>
>>>> When the registry key is set to 1, patched domain controllers will issue
>> service tickets and Ticket-Granting Tickets (TGT)s that are not renewable
>> and will refuse to renew existing service tickets and TGTs. Windows clients
>> are not impacted by this since they never renew service tickets or TGTs.
>> Third-party Kerberos clients may fail to renew service tickets or TGTs
>> acquired from unpatched DCs. If all DCs are patched with the registry set
>> to 1, third-party clients will no longer receive renewable tickets.
> 
> You're correct that Microsoft has not released details on this issue.
> 
> They have indicated that some failures are a known issue, and claim to
> be working on a fix:
> https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-20h2#1522msgdesc

It used to be the case that "kinit -r" would fail if the requested
principal was "disallow-renewable".   I don't remember if it was because
the KDC refused to issue any ticket when renewable was requested or if
it was the client library rejecting the ticket because it didn't satisfy
the request.   If the problem is the latter, the Microsoft change has an
immediate impact that cannot easily be worked around without patching
the client systems.

It would be useful if someone could test and report the actual symptoms
as observed on the non-Windows client.

Jeffrey Altman


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4080 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20201117/f80bb7fe/attachment-0001.bin


More information about the Kerberos mailing list