On 7/30/2013 6:57 AM, Harald Barth wrote: > >> Secure Endpoints has pushed fixes to https://github.com/heimdal/heimdal >> for both the 'master' (aka pre-1.6) and 'heimdal-1-5-branch' branches. > > Warning: Real-life results show that the code path for preauth always > seems to go through the strongest enctype configured (for example > aes256), even if the users principal does not have a key of that > enctype. So these users (*) will not be able to obtain tickets any > more (at least not without password change to get those new keys).
This is an incorrect description. The explicit problem occurs when the
following combination is true:
1. user has one or more strong enctype keys with non-default
password salts
2. the only keys with default password salts are weak enctypes
3. preauth is required
In this combination, the strong enctype with the non-default password
salt will not be recommended to the client in the pa-etype-info or
pa-etype-info2 data sent with the preauth required error reply.
Since no pa-etype hint was provided the client chooses its preferred
enctype which is aes256.
A correction has been prepared and will be submitted after testing.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
