Multiple ETYPE-INFO-ENTRY with same etype but different salts
Greg Hudson
ghudson at MIT.EDU
Fri Jul 15 09:16:51 EDT 2011
On Fri, 2011-07-15 at 03:21 -0400, Weijun Wang wrote:
> I lookup RFC 4120 and there is no spec on what to do when there are
> multiple ETYPE-INFO-ENTRYs with the same etype but different salts. What
> shall I do now?
MIT krb5 uses the first entry for the most preferred enctype it can find
in the sequence. (That is, we iterate over our enctype preference list;
for each enctype we search the etype-info2 sequence for an entry with
that enctype, and we use the first entry we find.)
Heimdal appears to do the same thing.
> Or, is there a way to reconfigure their KDC and avoid
> such a response?
That's hard to answer with confidence without more information about the
KDC, but I'll go ahead and speculate that it's an MIT krb5 KDC with a
history of supporting krb4.
In this case, the etype-info2 entries are determined by the keys in the
KDB records. The KDC administrator could change the supported_enctypes
variable to include only one des-cbc-crc entry and then have the
affected users change their passwords.
It's arguably a bug that we return multiple etype-info2 entries with the
same enctype, and then (I assume) only try the first key entry matching
the enctype when decrypting an encrypted-timestamp preauth request. We
should either prune the etype-info2 entries to one per enctype, or try
multiple keys against a preauth request.
More information about the krbdev
mailing list