Cross-realm ticket forwarding enctype compatibility

Sam Hartman hartmans at MIT.EDU
Tue Apr 8 16:07:26 EDT 2003

>>>>> "Ken" == Ken Hornstein <kenh at> writes:

    Ken> I ran into an interesting problem today, and I'm wondering if
    Ken> anyone has a reasonable solution.

I think so.

    Ken> User B then wants to forward his TGT to service in realm A.
    Ken> This fails, because the heuristic in the client code that
    Ken> selects the session key enctype for the new TGT selects 3DES
    Ken> (since that's the session key in the ticket for the service
    Ken> in A).  This fails, since realm B doesn't support 3DES.  I
    Ken> know, the comment for the code in fwd_tgt.c says "not
    Ken> bulletproof", and this is clearly a corner case.  

I think that the code in fwd_tgt.c should try forwarding tickets with
enctype = 0 in the credentials structure (I.E. using the client's
default enctypes) if it fals to get a TGT with the service key

I should be implementing this solution this week.

More information about the krbdev mailing list