touch-packages team mailing list archive

Thread
Date

[Bug 849349] Re: libgssapi2-heimdal init_auth() discards configured enctypes

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: James Page <james.page@xxxxxxxxxx>
Date: Thu, 31 Jul 2014 10:41:42 -0000
Reply-to: Bug 849349 <849349@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: heimdal (Ubuntu)
       Status: New => Opinion

** Changed in: heimdal (Ubuntu)
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to heimdal in Ubuntu.
https://bugs.launchpad.net/bugs/849349

Title:
  libgssapi2-heimdal init_auth() discards configured enctypes

Status in “heimdal” package in Ubuntu:
  Opinion

Bug description:
  Heimdal's libgssapi init_auth() makes a call to
  krb5_set_default_in_tkt_etypes() to support certain NFS clients.
  However, this call is always made, and thus can also be made when the
  second argument passed can be NULL.  The behaviour of
  krb5_set_default_in_tkt_etypes() in such an invocation is to reset the
  GSS-API context to requesting keys with any enctype supported by the
  client libraries.

  The unfortunate side effect of this is that the list of desired
  enctypes requested by clients now no longer matches the list of
  approved enctypes specified in the system krb5.conf, and as such *all*
  GSS-API initiators effectively ignore the admin-configured list of
  desired enctypes.

  The proper fix is to call krb5_set_default_in_tkt_etypes() if and only
  if the second argument is not NULL, as per the attached patch.

  The patch has already been submitted upstream against 1.5, but also
  applies cleanly to all versions of Heimdal from at least Lucid
  (1.2.e1.dfsg.1-1ubuntu1) onwards.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/heimdal/+bug/849349/+subscriptions