Rename and fix as/tgs-use-strongest-key config parameters

Different ticket session key enctype selection options should
    distinguish between target principal type (krbtgt vs. not), not
    between KDC request types.

kdc/default_config.c

@@ -51,9 +51,9 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->require_preauth = TRUE;
     c->kdc_warn_pwexpire = 0;
     c->encode_as_rep_as_tgs_rep = FALSE;
-    c->as_use_strongest_session_key = FALSE;
+    c->tgt_use_strongest_session_key = FALSE;
     c->preauth_use_strongest_session_key = FALSE;
-    c->tgs_use_strongest_session_key = FALSE;
+    c->svc_use_strongest_session_key = FALSE;
     c->use_strongest_server_key = TRUE;
     c->check_ticket_addresses = TRUE;
     c->allow_null_ticket_addresses = TRUE;
@@ -120,21 +120,21 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     }
 #endif
 
-    c->as_use_strongest_session_key =
+    c->tgt_use_strongest_session_key =
 	krb5_config_get_bool_default(context, NULL,
-				     c->as_use_strongest_session_key,
+				     c->tgt_use_strongest_session_key,
 				     "kdc",
-				     "as-use-strongest-session-key", NULL);
+				     "tgt-use-strongest-session-key", NULL);
     c->preauth_use_strongest_session_key =
 	krb5_config_get_bool_default(context, NULL,
 				     c->preauth_use_strongest_session_key,
 				     "kdc",
 				     "preauth-use-strongest-session-key", NULL);
-    c->tgs_use_strongest_session_key =
+    c->svc_use_strongest_session_key =
 	krb5_config_get_bool_default(context, NULL,
-				     c->tgs_use_strongest_session_key,
+				     c->svc_use_strongest_session_key,
 				     "kdc",
-				     "tgs-use-strongest-session-key", NULL);
+				     "svc-use-strongest-session-key", NULL);
     c->use_strongest_server_key =
 	krb5_config_get_bool_default(context, NULL,
 				     c->use_strongest_server_key,

kdc/kdc.h

@@ -59,9 +59,9 @@ typedef struct krb5_kdc_configuration {
 
     krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
 
-    krb5_boolean as_use_strongest_session_key;
+    krb5_boolean tgt_use_strongest_session_key;
     krb5_boolean preauth_use_strongest_session_key;
-    krb5_boolean tgs_use_strongest_session_key;
+    krb5_boolean svc_use_strongest_session_key;
     krb5_boolean use_strongest_server_key;
 
     krb5_boolean check_ticket_addresses;

kdc/kerberos5.c

@@ -1689,7 +1689,10 @@ _kdc_as_rep(kdc_request_t r,
      * decrypt.
      */
 
-    ret = _kdc_find_etype(context, config->as_use_strongest_session_key, FALSE,
+    ret = _kdc_find_etype(context,
+			  krb5_principal_is_krbtgt(context, r->server_princ) ?
+			  config->tgt_use_strongest_session_key :
+			  config->svc_use_strongest_session_key, FALSE,
 			  r->client, b->etype.val, b->etype.len, &r->sessionetype,
 			  NULL);
     if (ret) {

kdc/krb5tgs.c

@@ -1729,7 +1729,9 @@ server_lookup:
 	    Key *skey;
 
 	    ret = _kdc_find_etype(context,
-				  config->tgs_use_strongest_session_key, FALSE,
+				  krb5_principal_is_krbtgt(context, sp) ?
+				  config->tgt_use_strongest_session_key :
+				  config->svc_use_strongest_session_key, FALSE,
 				  server, b->etype.val, b->etype.len, &etype,
 				  NULL);
 	    if(ret) {

lib/krb5/krb5.conf.5

@@ -432,19 +432,22 @@ Default is the same as
 .Va enable-kerberos4 .
 .It Li enable-http = Va BOOL
 Should the kdc answer kdc-requests over http.
-.It Li as-use-strongest-session-key = Va BOOL
+.It Li tgt-use-strongest-session-key = Va BOOL
 If this is TRUE then the KDC will prefer the strongest key from the
-client's AS-REQ enctype list, that is also supported by the KDC and the
+client's AS-REQ or TGS-REQ enctype list for the ticket session key that
-target principal, for the ticket session key. Else it will prefer the
+is supported by the KDC and the target principal when the target
-first key from the client's AS-REQ enctype list that is also supported
+principal is a krbtgt principal.  Else it will prefer the first key from
-by the KDC and the target principal. Defaults to TRUE.
+the client's AS-REQ enctype list that is also supported by the KDC and
+the target principal. Defaults to TRUE.
+.It Li svc-use-strongest-session-key = Va BOOL
+Like tgt-use-strongest-session-key, but applies to the session key
+enctype of tickets for services other than krbtgt principals. Defaults
+to TRUE.
 .It Li preauth-use-strongest-session-key = Va BOOL
-Like as-use-strongest-session-key, but applies to the session key
+If TRUE then select the strongest possible enctype from the client's
-enctype selection for PA-ETYPE-INFO2 (i.e., for password-based
+AS-REQ for PA-ETYPE-INFO2 (i.e., for password-based pre-authentication).
-pre-authentication). Defaults to TRUE.
+Else pick the first supported enctype from the client's AS-REQ. Defaults
-.It Li tgs-use-strongest-session-key = Va BOOL
+to TRUE.
-Like as-use-strongest-session-key, but applies to the session key
-enctype of tickets issued by the TGS. Defaults to TRUE.
 .It Li use-strongest-server-key = Va BOOL
 If TRUE then the KDC picks, for the ticket encrypted part's key, the
 first supported enctype from the target service principal's hdb entry's