[krbdev.mit.edu #2131] krb5_get_init_creds_keytab() doesn't restrict requested enctypes to those in keytab entry
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Jul 2 13:00:08 EDT 2012
This change had the unintended consequence of restricting the ticket
session key to the enctypes in the keytab. The change was amended by
#7190 to include all of the default_tkt_enctypes list in the request, but
sorted with the keytab's enctypes appearing first. That way the session
key enctype is not constrained, but the KDC is very likely to use a reply
key which exists in the keytab.
Nico has also suggested doing encrypted timestamp preauth with one of the
keytab keys, and having the KDC use the encrypted timestamp key as the
reply key. These are probably good ideas but the former may have some
edge cases given the current state of the client preauth code. See also:
http://mailman.mit.edu/pipermail/krbdev/2012-July/010998.html
More information about the krb5-bugs
mailing list