oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Fix TGS ticket enc-part key selection

Browse Source 
When I added support for configuring how the KDC selects session,
    reply, and ticket enc-part keys I accidentally had the KDC use the
    session key selection algorithm for selecting the ticket enc-part
    key.  This becomes a problem when using a Heimdal KDC with an MIT
    KDB as the HDB backend and when the krbtgt keys are not in
    strongest-to-weakest order, in which case forwardable tickets minted
    by the Heimdal KDC will not be accepted by MIT KDCs with the same
    KDB.
This commit is contained in:
Nicolas Williams
2011-10-11 23:57:58 -05:00
parent 8aceafc430
commit 12cd2c9cbd
1 changed files with 2 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
kdc/krb5tgs.c
View File

@@ -1699,17 +1699,14 @@ server_lookup:
} else {
Key *skey;
ret = _kdc_find_etype(context,
config->tgs_use_strongest_session_key, FALSE,
server, b->etype.val, b->etype.len, NULL,
&skey);
ret = _kdc_get_preferred_key(context, config, server, spn,
&etype, &skey);
if(ret) {
kdc_log(context, config, 0,
"Server (%s) has no support for etypes", spn);
goto out;
}
ekey = &skey->key;
etype = skey->key.keytype;
kvno = server->entry.kvno;
}