[krbdev.mit.edu #7432] krb5-1.10.3: Updating krbtgt with kvno 0
Richard Basch via RT
rt-comment at krbdev.mit.edu
Thu Oct 25 19:30:36 EDT 2012
I was experimenting with a Kerberos database which was constructed in the
early 1990s when the db_creation would create krbtgt with kvno = 0.
If you try to update the krbtgt, using "cpw -randkey -keepold krbtgt/XXX",
the old key cannot effectively be used by clients. *_search_enctypes and
*_find_enctypes allow kvno to be passed in as a search criteria, but the
default routine (in lib/kdb/kdb_default.c) will treat kvno=0 as a flag to
return the latest kvno. Ironically, it also treats -1 the same way.
This problem with krbtgt key rotation only occurs when you have a krbtgt
with kvno=0 (which again can happen if the database was created long ago but
the key was never updated).
A quick fix is to change the KDC code to pass in kvno=-1 when searching for
"latest key" and change the routine such that kvno=0 will return kvno 0 if
found or latest key if not found (that way, the API is relatively cleanly
preserved).
lib/kdb/kdb_default.c
Fix calls from:
plugins/kdb/hdb/kdb_windc.c
kdc/kdc_preauth.c
kdc/kdc_preauth_encts.c
kdc/do_as_req.c
kdc/do_tgs_req.c
kdc/kdc_util.c
If you agree with the above approach, I will send in a patch. (though it is
probably not difficult to re-implement with the above description of the
framework).
More information about the krb5-bugs
mailing list