The Samba-Bugzilla – Attachment 16861 Details for
Bug 14864
Heimdal prefers RC4 over AES for machine accounts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
don't prefer RC4 for service tickets
dont-prefer-rc4.patch (text/plain), 2.23 KB, created by
Andrew Bartlett
on 2021-10-20 20:52:19 UTC
(
hide
)
Description:
don't prefer RC4 for service tickets
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-10-20 20:52:19 UTC
Size:
2.23 KB
patch
obsolete
>From 7f11f7aff2b4d18d42c623bc665fb5bc6961d292 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 8 Oct 2021 15:53:47 +1300 >Subject: [PATCH 1/2] heimdal:kdc: Fix incorrect condition > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/heimdal/kdc/kerberos5.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index ec0c5ade153..0cbf713ce9f 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -214,7 +214,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, > if (ret_enctype != NULL) > *ret_enctype = etypes[i]; > ret = 0; >- if (is_preauth && is_default_salt_p(&def_salt, key)) >+ if (!is_preauth || is_default_salt_p(&def_salt, key)) > goto out; > } > } >-- >2.25.1 > > >From f76db0d32383dffd8635e74ac2cc55bb17bd044b Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 8 Oct 2021 15:54:16 +1300 >Subject: [PATCH 2/2] heimdal:kdc: Only check for default salt for des-cbc-crc > enctype > >Previously, this algorithm was preferring RC4 over AES for machine >accounts in the preauth case. This is because AES keys for machine >accounts in Active Directory use a non-default salt, while RC4 keys do >not use a salt. To avoid this behaviour, only prefer keys with default >salt for the des-cbc-crc enctype. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > source4/heimdal/kdc/kerberos5.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index 0cbf713ce9f..4cba08fcbe6 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -214,7 +214,8 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, > if (ret_enctype != NULL) > *ret_enctype = etypes[i]; > ret = 0; >- if (!is_preauth || is_default_salt_p(&def_salt, key)) >+ if (!is_preauth || enctype != (krb5_enctype)ETYPE_DES_CBC_CRC >+ || is_default_salt_p(&def_salt, key)) > goto out; > } > } >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14864
: 16861 |
16862