Jeffrey T. Hutzelman jhutz at
Tue Nov 17 14:10:25 EST 2020

Hrm. RFC4120 is fairly explicit on how the KDC processing works for a request to renew a service ticket. In particular, it contemplates a TGS_REQ in which "the accompanying ticket is not a TGT for the current realm, but is for an application server in the current realm", and describes under what conditions the TGS may decrypt and process such a request.

Oddly, the language describing how the RENEWABLE flag gets set in the first place is only present in the section on AS_REQ processing. Apparently we left that bit out. :-(

-- Jeff

From: kerberos-bounces at <kerberos-bounces at> on behalf of Jeffrey Altman <jaltman at>
Sent: Tuesday, November 17, 2020 1:51 PM
To: Greg Hudson (ghudson at; Robbie Harwood (rharwood at; kerberos at
Subject: Re: CVE-2020-17049

On 11/17/2020 1:26 PM, Greg Hudson (ghudson at wrote:
> On 11/17/20 12:53 PM, Jeffrey Altman wrote:
>> Just to set the record straight, Kerberos service tickets have never
>> been renewable unless they were obtained as initial tickets.  Only
>> TGTs are renewable.  This is true for MIT and Heimdal as well as
>> Active Directory.
> Both initial and non-initial non-TGTs are renewable with MIT krb5:
> $ make testrealm
> $ kadmin.local modprinc -maxrenewlife 1d host/small-gods
> $ kadmin.local modprinc -maxrenewlife 1d user
> $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
> $ kinit -S host/small-gods -l 10m -r 20m
> Password for user at KRBTEST.COM:
> $ kinit -R -S host/small-gods
> $ kinit -l 10m -r 20m user
> Password for user at KRBTEST.COM:
> $ kvno host/small-gods
> host/small-gods at KRBTEST.COM: kvno = 1
> $ kinit -R -S host/small-gods
> $
> There is even a messaging service at MIT that makes use of renewable
> service tickets.
> Prior to release 1.9 the MIT krb5 KDC supported renewing service
> tickets, but the client library did not:
> .
>> It used to be the case that "kinit -r" would fail if the requested
>> principal was "disallow-renewable".   I don't remember if it was because
>> the KDC refused to issue any ticket when renewable was requested or if
>> it was the client library rejecting the ticket because it didn't satisfy
>> the request.
> That was KDC-side.  For MIT krb5, the KDC behavior changed in release
> 1.12 to just issue a non-renewable ticket in this case.


Thanks for tracking down the history.

I'm glad to see that service tickets can be renewed.  The lack of that
functionality was always frustrating.

Heimdal should change its behavior to match.

Jeffrey Altman

More information about the Kerberos mailing list