Fix TGS ticket enc-part key selection
When I added support for configuring how the KDC selects session,
reply, and ticket enc-part keys I accidentally had the KDC use the
session key selection algorithm for selecting the ticket enc-part
key. This becomes a problem when using a Heimdal KDC with an MIT
KDB as the HDB backend and when the krbtgt keys are not in
strongest-to-weakest order, in which case forwardable tickets minted
by the Heimdal KDC will not be accepted by MIT KDCs with the same
KDB.
This commit is contained in:
Nicolas Williams
@@ -1699,17 +1699,14 @@ server_lookup:
|
|||||||
} else {
|
} else {
|
||||||
Key *skey;
|
Key *skey;
|
||||||
|
|
||||||
ret = _kdc_find_etype(context,
|
ret = _kdc_get_preferred_key(context, config, server, spn,
|
||||||
config->tgs_use_strongest_session_key, FALSE,
|
&etype, &skey);
|
||||||
server, b->etype.val, b->etype.len, NULL,
|
|
||||||
&skey);
|
|
||||||
if(ret) {
|
if(ret) {
|
||||||
kdc_log(context, config, 0,
|
kdc_log(context, config, 0,
|
||||||
"Server (%s) has no support for etypes", spn);
|
"Server (%s) has no support for etypes", spn);
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
ekey = &skey->key;
|
ekey = &skey->key;
|
||||||
etype = skey->key.keytype;
|
|
||||||
kvno = server->entry.kvno;
|
kvno = server->entry.kvno;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user