[krbdev.mit.edu #8139] SIGNTICKET creation and verification doesn't always use the right key
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Mon Aug 8 13:46:49 EDT 2016
Another manifestation of this bug is described in:
http://mailman.mit.edu/pipermail/kerberos/2016-August/021342.html
Briefly, acquire a credential, re-key the TGT with a different first
enctype, acquire a forwarded TGT with the existing credentials, then try to
make a TGS request with the new TGT. Because the authdata in the new TGT
is checksummed with the old TGT key, verify_ad_signedpath_checksum()
receives a bad-enctype error code from krb5_c_verify_checksum() (not a 0
result with valid set to FALSE, as it would get if the checksum were
incorrect but of a valid checksum type for the key). So the whole TGS
operation fails out.
More information about the krb5-bugs
mailing list