krb5_gic_init_creds_keytab and session key enctypes

Nico Williams nico at
Mon Jul 2 13:17:30 EDT 2012

On Mon, Jul 2, 2012 at 11:56 AM, Greg Hudson <ghudson at> wrote:
> On 07/02/2012 03:00 AM, Nico Williams wrote:
>> Have you tried making krb5_get_init_creds_keytab() use PA-ENC-TSTAMP?
> I'm a little worried about unintended consequences there.  If nothing
> else, we might want better handling of preauth-failed errors resulting
> from doing encrypted timestamp with a key the KDC turns out not to have.

But then the KDC will return PA-ETYPE-INFO* and the client should then
try the next key in the keytab (you might have to add code for that).
But ideally the gic_keytab code should just start by searching the
keytab for a key of any enctype for the desired principal (or any
principal), then on PA-ETYPE-INFO* it should search the keytab again
for a key of one of the enctypes indicated by the KDC (loop over the
PA-ETYPE-INFO* and search the keytab inside the loop).

> I definitely agree that the KDC should be using the pa-enc-timestamp key
> as the reply key (as Heimdal's KDC already does).  If I find the time, I
> will look into that.  I think similar reasoning applies to encrypted
> challenge.

Indeed.  Thanks.


More information about the krbdev mailing list