Cross-realm ticket forwarding enctype compatibility
Sam Hartman
hartmans at MIT.EDU
Tue Apr 8 16:07:26 EDT 2003
>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
Ken> I ran into an interesting problem today, and I'm wondering if
Ken> anyone has a reasonable solution.
I think so.
Ken> User B then wants to forward his TGT to service in realm A.
Ken> This fails, because the heuristic in the client code that
Ken> selects the session key enctype for the new TGT selects 3DES
Ken> (since that's the session key in the ticket for the service
Ken> in A). This fails, since realm B doesn't support 3DES. I
Ken> know, the comment for the code in fwd_tgt.c says "not
Ken> bulletproof", and this is clearly a corner case.
I think that the code in fwd_tgt.c should try forwarding tickets with
enctype = 0 in the credentials structure (I.E. using the client's
default enctypes) if it fals to get a TGT with the service key
enctype.
I should be implementing this solution this week.
More information about the krbdev
mailing list