[38843] in Kerberos
Re: CVE-2020-17049
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Nov 17 13:29:22 2020
To: Jeffrey Altman <jaltman@secure-endpoints.com>,
"Robbie Harwood
(rharwood@redhat.com)" <rharwood@redhat.com>,
Luke Hebert
<lhebert@cloudera.com>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <b39e8efa-a03e-9aa1-b9c8-6141aac38827@mit.edu>
Date: Tue, 17 Nov 2020 13:26:27 -0500
MIME-Version: 1.0
In-Reply-To: <a1b0f827-a42e-9576-63cc-a1dac1d85fcf@secure-endpoints.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 11/17/20 12:53 PM, Jeffrey Altman wrote:
> Just to set the record straight, Kerberos service tickets have never
> been renewable unless they were obtained as initial tickets. Only
> TGTs are renewable. This is true for MIT and Heimdal as well as
> Active Directory.
Both initial and non-initial non-TGTs are renewable with MIT krb5:
$ make testrealm
$ kadmin.local modprinc -maxrenewlife 1d host/small-gods
$ kadmin.local modprinc -maxrenewlife 1d user
$ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
$ kinit -S host/small-gods -l 10m -r 20m
Password for user@KRBTEST.COM:
$ kinit -R -S host/small-gods
$ kinit -l 10m -r 20m user
Password for user@KRBTEST.COM:
$ kvno host/small-gods
host/small-gods@KRBTEST.COM: kvno = 1
$ kinit -R -S host/small-gods
$
There is even a messaging service at MIT that makes use of renewable
service tickets.
Prior to release 1.9 the MIT krb5 KDC supported renewing service
tickets, but the client library did not:
https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 .
> It used to be the case that "kinit -r" would fail if the requested
> principal was "disallow-renewable". I don't remember if it was because
> the KDC refused to issue any ticket when renewable was requested or if
> it was the client library rejecting the ticket because it didn't satisfy
> the request.
That was KDC-side. For MIT krb5, the KDC behavior changed in release
1.12 to just issue a non-renewable ticket in this case.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
