Cross-realm ticket forwarding enctype compatibility
Ken Hornstein
kenh at cmf.nrl.navy.mil
Tue Apr 8 14:53:24 EDT 2003
I ran into an interesting problem today, and I'm wondering if anyone has
a reasonable solution.
Setup:
Realm A: my local realm, supports 3DES
Realm B: foreign realm, old code base, no 3DES support
Cross-realm trust between A and B
User in realm B uses newer client code which supports 3DES, gets TGT from
realm B, and authenticates to realm A. That works as expected.
User B then wants to forward his TGT to service in realm A. This fails,
because the heuristic in the client code that selects the session key
enctype for the new TGT selects 3DES (since that's the session key in the
ticket for the service in A). This fails, since realm B doesn't support
3DES. I know, the comment for the code in fwd_tgt.c says "not bulletproof",
and this is clearly a corner case. I really want realm B to upgrade anyway,
and that's the obvious solution, but I'm wondering if there's a better
solution that pops out at anyone.
One thing that comes to mind is that in fwd_tgt if we get back a "enctype
not supported" error, it would be easy to fall back to not passing in
an enctype in the creds structure, and that would send back a whole list
of possible enctypes rather than just clamping it at the service's enctype.
I can invision cases where that doesn't work so well either, but I think
it makes the failure window smaller.
Sigh, I wish it was possible to find out ALL of the enctypes that a service
supported, then you could simply send that to the KDC rather than just one.
--Ken
More information about the krbdev
mailing list