krb5_gic_init_creds_keytab and session key enctypes

Greg Hudson ghudson at MIT.EDU
Mon Jul 2 12:56:14 EDT 2012

On 07/02/2012 03:00 AM, Nico Williams wrote:
> Have you tried making krb5_get_init_creds_keytab() use PA-ENC-TSTAMP?

I'm a little worried about unintended consequences there.  If nothing
else, we might want better handling of preauth-failed errors resulting
from doing encrypted timestamp with a key the KDC turns out not to have.

I definitely agree that the KDC should be using the pa-enc-timestamp key
as the reply key (as Heimdal's KDC already does).  If I find the time, I
will look into that.  I think similar reasoning applies to encrypted

> But let's suppose that that doesn't work universally well.  Then
> simply take the default_tkt_enctypes and re-order it so that all the
> enctypes for which the service has keys in its keytab come first (but
> preferably still with the same relative order as in the original
> default_tkt_enctypes) and the others (if any) come last (also
> preserving the original relative ordering between them).

This idea is trivial to implement and more elegant than my previously
chosen KDC hack, so I've reverted the KDC hack and implemented this instead.

(The reason why I committed something right away is that this was
breaking the test suite given some of the other changes I'm working on.)

More information about the krbdev mailing list