diff --git a/kdc/default_config.c b/kdc/default_config.c index a5ee65ad1..a22e75f61 100644 --- a/kdc/default_config.c +++ b/kdc/default_config.c @@ -123,6 +123,11 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->as_use_strongest_session_key, "kdc", "as-use-strongest-session-key", NULL); + c->preauth_use_strongest_session_key = + krb5_config_get_bool_default(context, NULL, + c->preauth_use_strongest_session_key, + "kdc", + "preauth-use-strongest-session-key", NULL); c->tgs_use_strongest_session_key = krb5_config_get_bool_default(context, NULL, c->tgs_use_strongest_session_key, diff --git a/kdc/kdc.h b/kdc/kdc.h index 121fa5584..497163521 100644 --- a/kdc/kdc.h +++ b/kdc/kdc.h @@ -60,6 +60,7 @@ typedef struct krb5_kdc_configuration { krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ krb5_boolean as_use_strongest_session_key; + krb5_boolean preauth_use_strongest_session_key; krb5_boolean tgs_use_strongest_session_key; krb5_boolean check_ticket_addresses; diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 0e41c2b92..82a65b62a 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -134,6 +134,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, krb5_enctype enctype = ETYPE_NULL; Key *key = NULL; + /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */ ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt); if (ret) return ret; @@ -1387,9 +1388,9 @@ _kdc_as_rep(krb5_context context, /* * If there is a client key, send ETYPE_INFO{,2} */ - ret = _kdc_find_etype(context, config->as_use_strongest_session_key, - TRUE, client, b->etype.val, b->etype.len, NULL, - &ckey); + ret = _kdc_find_etype(context, + config->preauth_use_strongest_session_key, TRUE, + client, b->etype.val, b->etype.len, NULL, &ckey); if (ret == 0) { /* diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 16c8a0a13..9c2908e09 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -411,6 +411,10 @@ client's AS-REQ enctype list, that is also supported by the KDC and the target principal, for the ticket session key. Else it will prefer the first key from the client's AS-REQ enctype list that is also supported by the KDC and the target principal. Defaults to TRUE. +.It Li preauth-use-strongest-session-key = Va BOOL +Like as-use-strongest-session-key, but applies to the session key +enctype selection for PA-ETYPE-INFO2 (i.e., for password-based +pre-authentication). Defaults to TRUE. .It Li tgs-use-strongest-session-key = Va BOOL Like as-use-strongest-session-key, but applies to the session key enctype of tickets issued by the TGS. Defaults to TRUE.