[38845] in Kerberos
Re: CVE-2020-17049
daemon@ATHENA.MIT.EDU (Jeffrey T. Hutzelman)
Tue Nov 17 14:13:05 2020
From: "Jeffrey T. Hutzelman" <jhutz@cmu.edu>
To: Jeffrey Altman <jaltman@secure-endpoints.com>,
"Greg Hudson
(ghudson@mit.edu)" <ghudson@mit.edu>,
"Robbie Harwood (rharwood@redhat.com)" <rharwood@redhat.com>,
"kerberos@mit.edu" <kerberos@mit.edu>
Date: Tue, 17 Nov 2020 19:10:25 +0000
Message-ID: <c7e5dc1d70df4d9089319fc686ffdb88@cmu.edu>
In-Reply-To: <1adcfe5c-0d8d-d5ff-2bdb-19747d7b2555@secure-endpoints.com>
Content-Language: en-US
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hrm. RFC4120 is fairly explicit on how the KDC processing works for a request to renew a service ticket. In particular, it contemplates a TGS_REQ in which "the accompanying ticket is not a TGT for the current realm, but is for an application server in the current realm", and describes under what conditions the TGS may decrypt and process such a request.
Oddly, the language describing how the RENEWABLE flag gets set in the first place is only present in the section on AS_REQ processing. Apparently we left that bit out. :-(
-- Jeff
________________________________
From: kerberos-bounces@mit.edu <kerberos-bounces@mit.edu> on behalf of Jeffrey Altman <jaltman@secure-endpoints.com>
Sent: Tuesday, November 17, 2020 1:51 PM
To: Greg Hudson (ghudson@mit.edu); Robbie Harwood (rharwood@redhat.com); kerberos@mit.edu
Subject: Re: CVE-2020-17049
On 11/17/2020 1:26 PM, Greg Hudson (ghudson@mit.edu) wrote:
> On 11/17/20 12:53 PM, Jeffrey Altman wrote:
>> Just to set the record straight, Kerberos service tickets have never
>> been renewable unless they were obtained as initial tickets. Only
>> TGTs are renewable. This is true for MIT and Heimdal as well as
>> Active Directory.
>
> Both initial and non-initial non-TGTs are renewable with MIT krb5:
>
> $ make testrealm
> $ kadmin.local modprinc -maxrenewlife 1d host/small-gods
> $ kadmin.local modprinc -maxrenewlife 1d user
> $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
> $ kinit -S host/small-gods -l 10m -r 20m
> Password for user@KRBTEST.COM:
> $ kinit -R -S host/small-gods
> $ kinit -l 10m -r 20m user
> Password for user@KRBTEST.COM:
> $ kvno host/small-gods
> host/small-gods@KRBTEST.COM: kvno = 1
> $ kinit -R -S host/small-gods
> $
>
> There is even a messaging service at MIT that makes use of renewable
> service tickets.
>
> Prior to release 1.9 the MIT krb5 KDC supported renewing service
> tickets, but the client library did not:
> https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 .
>
>> It used to be the case that "kinit -r" would fail if the requested
>> principal was "disallow-renewable". I don't remember if it was because
>> the KDC refused to issue any ticket when renewable was requested or if
>> it was the client library rejecting the ticket because it didn't satisfy
>> the request.
>
> That was KDC-side. For MIT krb5, the KDC behavior changed in release
> 1.12 to just issue a non-renewable ticket in this case.
Greg,
Thanks for tracking down the history.
I'm glad to see that service tickets can be renewed. The lack of that
functionality was always frustrating.
Heimdal should change its behavior to match.
Jeffrey Altman
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
