CVE-2020-17049
Greg Hudson
ghudson at mit.edu
Tue Nov 17 13:26:27 EST 2020
On 11/17/20 12:53 PM, Jeffrey Altman wrote:
> Just to set the record straight, Kerberos service tickets have never
> been renewable unless they were obtained as initial tickets. Only
> TGTs are renewable. This is true for MIT and Heimdal as well as
> Active Directory.
Both initial and non-initial non-TGTs are renewable with MIT krb5:
$ make testrealm
$ kadmin.local modprinc -maxrenewlife 1d host/small-gods
$ kadmin.local modprinc -maxrenewlife 1d user
$ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
$ kinit -S host/small-gods -l 10m -r 20m
Password for user at KRBTEST.COM:
$ kinit -R -S host/small-gods
$ kinit -l 10m -r 20m user
Password for user at KRBTEST.COM:
$ kvno host/small-gods
host/small-gods at KRBTEST.COM: kvno = 1
$ kinit -R -S host/small-gods
$
There is even a messaging service at MIT that makes use of renewable
service tickets.
Prior to release 1.9 the MIT krb5 KDC supported renewing service
tickets, but the client library did not:
https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 .
> It used to be the case that "kinit -r" would fail if the requested
> principal was "disallow-renewable". I don't remember if it was because
> the KDC refused to issue any ticket when renewable was requested or if
> it was the client library rejecting the ticket because it didn't satisfy
> the request.
That was KDC-side. For MIT krb5, the KDC behavior changed in release
1.12 to just issue a non-renewable ticket in this case.
More information about the Kerberos
mailing list