The Samba-Bugzilla – Attachment 16862 Details for
Bug 14864
Heimdal prefers RC4 over AES for machine accounts
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch backported to 4.15 (only)
0001-heimdal-kdc-Only-check-for-default-salt-for-des-cbc-.patch (text/plain), 3.38 KB, created by
Andrew Bartlett
on 2021-10-20 21:25:28 UTC
(
hide
)
Description:
patch backported to 4.15 (only)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-10-20 21:25:28 UTC
Size:
3.38 KB
patch
obsolete
>From 94a1afccf4a6938c95a7080917dadcaed7c33d49 Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 8 Oct 2021 15:53:47 +1300 >Subject: [PATCH] heimdal:kdc: Only check for default salt for des-cbc-crc > enctype > >Previously, this algorithm was preferring RC4 over AES for machine >accounts in the preauth case. This is because AES keys for machine >accounts in Active Directory use a non-default salt, while RC4 keys do >not use a salt. To avoid this behaviour, only prefer keys with default >salt for the des-cbc-crc enctype. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53) >--- > selftest/knownfail_heimdal_kdc | 3 --- > source4/heimdal/kdc/kerberos5.c | 3 ++- > 2 files changed, 2 insertions(+), 4 deletions(-) > >diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc >index 767bfe90943..8b497160878 100644 >--- a/selftest/knownfail_heimdal_kdc >+++ b/selftest/knownfail_heimdal_kdc >@@ -48,7 +48,6 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_hide_client_names.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_claims.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_etypes.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_subkey.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_flags.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_wrong_nonce.ad_dc >@@ -57,9 +56,7 @@ > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_service_ticket_mach.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_unknown_critical_option.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_fast_no_etypes.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs.ad_dc >-^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_etypes.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_no_subkey.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket.ad_dc > ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_service_ticket_mach.ad_dc >diff --git a/source4/heimdal/kdc/kerberos5.c b/source4/heimdal/kdc/kerberos5.c >index 0fa336e871c..a7ca3d93475 100644 >--- a/source4/heimdal/kdc/kerberos5.c >+++ b/source4/heimdal/kdc/kerberos5.c >@@ -174,7 +174,8 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, > ret = hdb_enctype2key(context, &princ->entry, p[i], &key); > if (ret) > continue; >- if (is_preauth && !is_default_salt_p(&def_salt, key)) >+ if (is_preauth && enctype == (krb5_enctype)ETYPE_DES_CBC_CRC >+ && !is_default_salt_p(&def_salt, key)) > continue; > enctype = p[i]; > } >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jsutton
:
review+
Actions:
View
Attachments on
bug 14864
:
16861
| 16862