1bed48b75c
The default heimdal KDC chokes when trying to encrypt a ticket with a weak server key that has a different type than the session key. The problem happens in the krb5_crypto_init function called from the _kdc_encode_reply function. The existing work-around of the problem temporarily enabled the weak enctype in case it was disabled but the principal was on the (hard-coded) exception list. Unfortunately the code used the keytype of the key encoded in the ticked (the session key) instead of the keytype of the key used to encrypt the ticket (the serverkey) thus enabling the incorrect encryption type if those two are different, for instance des-cbc-md5 and des-cbc-crc. Change-Id: Ia55dc344e3e5fc9ec1eb93c9e8ebb0a58c673d57
Heimdal is a Kerberos 5 implementation. For information how to install see <http://www.h5l.org/compile.html>. There are briefer man pages for most of the commands. Bug reports and bugs are appreciated, see more under Bug reports in the manual on how we prefer them: <heimdal-bugs@h5l.org>. For more information see the web-page at <http://www.h5l.org/> or the mailing lists: heimdal-announce@sics.se low-volume announcement heimdal-discuss@sics.se high-volume discussion send a mail to heimdal-announce-request@sics.se and heimdal-discuss-request@sics.se respectively to subscribe.