-
Bug
-
Resolution: Fixed
-
P3
-
5.0
-
b49
-
sparc
-
solaris_8
The Kerberos library currently uses only default_tkt_enctypes when sending
its list of encryption types to the KDC. It ignores default_tgs_enctypes.
This is problemmatic because in some configurations, it is desirable to
communicate with the KDC using a different set of encryption types than
with the server. For example, the server might support only weak encryption
types (Solaris 9 or pre-1.5 Java Kerberos servers) but the KDC might support
stronger encryption types (Solaris 10). It didn't used to matter which
list was used because, prior to 1.5, only one encryption type was supported.
In 1.5, the Java Kerberos library supports more than one encryption type.
The Kerberos library already supports parsing these two properties. The bug
is that it doesn't use the default_tgs_enctypes list with the right request
to the KDC. The fix is to use the correct default_XXX_enctypes list depending
on which request is being sent to the KDC.
Also, when using the default ticket cache, a Java Kerberos client will
try to use the ticket-granting-ticket (TGT) even if it contains an unsupported
encrypt type. This then results in an exception. Instead, the Java client
should attempt to acquire a new TGT and ignore the unusable one in the
cache. With this bug, a Java client running on Solaris 10 and
using the Solaris ticket cache will fail with an exception.
Finally, add support for the 'permitted_enctypes' property to allow the
server to control the encryption types of session keys that he receives.
By default, all supported encryption types are allowed.
its list of encryption types to the KDC. It ignores default_tgs_enctypes.
This is problemmatic because in some configurations, it is desirable to
communicate with the KDC using a different set of encryption types than
with the server. For example, the server might support only weak encryption
types (Solaris 9 or pre-1.5 Java Kerberos servers) but the KDC might support
stronger encryption types (Solaris 10). It didn't used to matter which
list was used because, prior to 1.5, only one encryption type was supported.
In 1.5, the Java Kerberos library supports more than one encryption type.
The Kerberos library already supports parsing these two properties. The bug
is that it doesn't use the default_tgs_enctypes list with the right request
to the KDC. The fix is to use the correct default_XXX_enctypes list depending
on which request is being sent to the KDC.
Also, when using the default ticket cache, a Java Kerberos client will
try to use the ticket-granting-ticket (TGT) even if it contains an unsupported
encrypt type. This then results in an exception. Instead, the Java client
should attempt to acquire a new TGT and ignore the unusable one in the
cache. With this bug, a Java client running on Solaris 10 and
using the Solaris ticket cache will fail with an exception.
Finally, add support for the 'permitted_enctypes' property to allow the
server to control the encryption types of session keys that he receives.
By default, all supported encryption types are allowed.