Obtaining krbtgt key from preauthentication plugin

Greg Hudson ghudson at MIT.EDU
Mon Aug 20 23:09:35 EDT 2012

On 08/20/2012 09:12 AM, Alejandro Perez Mendez wrote:
>      if ((errcode = krb5_dbe_find_enctype(kdc_context, request->server,
>                                           -1, /* ignore keytype */
>                                           -1, /* Ignore salttype */
>                                           0,  /* Get highest kvno */
>                                           &server_key))) {

Doesn't this give a warning?  request->server is a krb5_principal, and
the second argument to krb5_db_find_enctype is a krb5_db_entry *.

kdcpreauth plugins have access to the client DB entry via the
client_entry callback, but not currently to the server entry.  The sever
entry isn't necessarily the TGT anyway, and in some common scenarios
(such as password changes) it is not.

TGT keys can also be rolled over, in which case "get highest kvno" might
get a higher version of the TGT key than the one used to encrypt the
blob sent to the client.  It would be best to use the kvno of the
encrypted blob you're decrypting (and make sure to set that kvno when
it's encrypted).

More information about the krbdev mailing list