diff options
author | Greg Hudson <ghudson@mit.edu> | 2023-03-21 00:51:17 -0400 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2023-03-27 14:25:56 -0400 |
commit | 5af907156f8f502bbe268f0c62274f88a61261e4 (patch) | |
tree | 4890644bc0e69a304eb80cf5559695d51b1ef1d8 /src/include/kdb.h | |
parent | 654f257b8843e3d85e368d8816511d99a8bab987 (diff) | |
download | krb5-5af907156f8f502bbe268f0c62274f88a61261e4.zip krb5-5af907156f8f502bbe268f0c62274f88a61261e4.tar.gz krb5-5af907156f8f502bbe268f0c62274f88a61261e4.tar.bz2 |
Add pac_privsvr_enctype string attribute
The KDC uses the first local TGT key for the privsvr and full PAC
checksums. If this key is of an aes-sha2 enctype in a cross-realm
TGT, a Microsoft KDC in the target realm may reject the ticket because
it has an unexpectedly large privsvr checksum buffer. This behavior
is unnecessarily picky as the target realm KDC cannot and does not
need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the
checksum key to three specific enctypes.
As a workaround, add a string attribute which can force the privsvr
key to use a specified enctype using key derivation when issuing
tickets to that principal. This attribute can be set on cross-realm
TGT entries when the target realm uses Active Directory and the local
TGT uses an aes-sha2 primary key.
ticket: 9089 (new)
Diffstat (limited to 'src/include/kdb.h')
-rw-r--r-- | src/include/kdb.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/include/kdb.h b/src/include/kdb.h index bbae9d1..745b24f 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -133,6 +133,7 @@ #define KRB5_DB_ITER_RECURSE 0x00000004 /* String attribute names recognized by krb5 */ +#define KRB5_KDB_SK_PAC_PRIVSVR_ENCTYPE "pac_privsvr_enctype" #define KRB5_KDB_SK_SESSION_ENCTYPES "session_enctypes" #define KRB5_KDB_SK_REQUIRE_AUTH "require_auth" |