krb5_gic_init_creds_keytab and session key enctypes
Nico Williams
nico at cryptonector.com
Mon Jul 2 13:17:30 EDT 2012
On Mon, Jul 2, 2012 at 11:56 AM, Greg Hudson <ghudson at mit.edu> wrote:
> On 07/02/2012 03:00 AM, Nico Williams wrote:
>> Have you tried making krb5_get_init_creds_keytab() use PA-ENC-TSTAMP?
>
> I'm a little worried about unintended consequences there. If nothing
> else, we might want better handling of preauth-failed errors resulting
> from doing encrypted timestamp with a key the KDC turns out not to have.
But then the KDC will return PA-ETYPE-INFO* and the client should then
try the next key in the keytab (you might have to add code for that).
But ideally the gic_keytab code should just start by searching the
keytab for a key of any enctype for the desired principal (or any
principal), then on PA-ETYPE-INFO* it should search the keytab again
for a key of one of the enctypes indicated by the KDC (loop over the
PA-ETYPE-INFO* and search the keytab inside the loop).
> I definitely agree that the KDC should be using the pa-enc-timestamp key
> as the reply key (as Heimdal's KDC already does). If I find the time, I
> will look into that. I think similar reasoning applies to encrypted
> challenge.
Indeed. Thanks.
Nico
--
More information about the krbdev
mailing list