[krbdev.mit.edu #8199] Only include one key in etype-info
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Sun Dec 13 10:51:00 EST 2015
This change can cause interoperability problems with clients using
JDK 1.6.0_24 due to a bug which is fixed in 1.7 and 1.6.0_25:
https://bugs.openjdk.java.net/browse/JDK-6932525
The bug is that, in its second pre-authenticated request, the client
narrows its etypes field to the enctypes present in the ETYPE-
INFO/ETYPE-INFO2 pa-data of the PREAUTH_REQUIRED error, unnecessarily
limiting the set of negotiable session etypes.
Here is an example of the problem cropping up:
http://mailman.mit.edu/pipermail/krbdev/2015-December/012499.html
In this example, the problem occurs because des-cbc-md5 is negotiated
for preauth but normally cannot be used as the session enctype (due
to an old hardcoded policy stemming from an ancient interop issue).
The problem could also occur without single-DES if the server
principal has a restricted set of enctypes.
I don't think we need to revert our KDC behavior; the Java client bug
can also manifest with certain AD server configurations. I'm just
noting it here to make it easier to find in the future.
More information about the krb5-bugs
mailing list