1. Forum
  2. Usenet
  3. COMP.PROTOCOLS.KERBEROS

  • CVE-2020-17049

    From Luke Hebert@21:1/5 to All on Mon Nov 16 09:44:21 2020
    Hi,

    We've just started encountering problems at customer sites with Kerberos enabled clients as a result of how Microsoft appears to be approaching CVE-2020-17049
    <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The
    details on this CVE are slim on Mitre and there is a small amount of
    additional information on the microsoft portal. I thought I'd ask the list
    what their thoughts are on what is being done here. Disabling service
    ticket and tgt renewability is not great and it obviously breaks long
    running processes that rely on renewability of these items. I'm sure we
    could move to an alternate approach where we do not renew these items but rather obtain a new one but the changes are likely non-trivial across many different projects.

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

    *How does this patch affect third-party Kerberos clients?*

    When the registry key is set to 1, patched domain controllers will issue service tickets and Ticket-Granting Tickets (TGT)s that are not renewable
    and will refuse to renew existing service tickets and TGTs. Windows clients
    are not impacted by this since they never renew service tickets or TGTs. Third-party Kerberos clients may fail to renew service tickets or TGTs
    acquired from unpatched DCs. If all DCs are patched with the registry set
    to 1, third-party clients will no longer receive renewable tickets.


    *--Luke Hebert* |
    cloudera.com <https://www.cloudera.com>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeffrey Altman@21:1/5 to " on Tue Nov 17 12:53:16 2020
    To: lhebert@cloudera.com (Luke Hebert)
    To: kerberos@mit.edu

    On 11/17/2020 12:16 PM, Robbie Harwood (rharwood@redhat.com) wrote:
    Luke Hebert <lhebert@cloudera.com> writes:

    Hi,
    Disabling service
    ticket and tgt renewability is not great and it obviously breaks long
    running processes that rely on renewability of these items.

    Just to set the record straight, Kerberos service tickets have never
    been renewable unless they were obtained as initial tickets. Only
    TGTs are renewable. This is true for MIT and Heimdal as well as
    Active Directory.

    *How does this patch affect third-party Kerberos clients?*

    When the registry key is set to 1, patched domain controllers will issue >> service tickets and Ticket-Granting Tickets (TGT)s that are not renewable
    and will refuse to renew existing service tickets and TGTs. Windows clients >> are not impacted by this since they never renew service tickets or TGTs.
    Third-party Kerberos clients may fail to renew service tickets or TGTs
    acquired from unpatched DCs. If all DCs are patched with the registry set
    to 1, third-party clients will no longer receive renewable tickets.

    You're correct that Microsoft has not released details on this issue.

    They have indicated that some failures are a known issue, and claim to
    be working on a fix: https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-20h2#1522msgdesc

    It used to be the case that "kinit -r" would fail if the requested
    principal was "disallow-renewable". I don't remember if it was because
    the KDC refused to issue any ticket when renewable was requested or if
    it was the client library rejecting the ticket because it didn't satisfy
    the request. If the problem is the latter, the Microsoft change has an immediate impact that cannot easily be worked around without patching
    the client systems.

    It would be useful if someone could test and report the actual symptoms
    as observed on the non-Windows client.

    Jeffrey Altman



    MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DJowggYBMIIE6aADAgECAhBAAWz+KYD2VMyFQOAs831nMA0GCSqGSIb3DQEBCwUAMDoxCzAJ BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEy MB4XDTE5MDkwNDIxMjM0OFoXDTIyMTEwMjIxMjM0OFowgZUxNTAzBgNVBAsMLFZlcmlmaWVk IEVtYWlsOiBqYWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMSswKQYJKoZIhvcNAQkBFhxq YWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMS8wLQYKCZImiZPyLGQBARMfQTAxNDEwRDAw MDAwMTZDRkUyOTgwRTQwMDAwMzlFQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ALRdw150e8iZjFFewsrI/Q5nQtYINFrVpOdYR5RnrrNUvwRrBkkYcFwNWP/wzHOPiaFgthaX ydoQXKqFH0gZ6EaipfJ1L/r8NKAELVf1mTY7Yw+M6EuApsT9X8Ix6DPyhRc9D/rZ4KuBaszA gdpqdBYkkNlcogKPuM6jCzCHfOW3l9Hj1P98GjLmvhK7bDV56kz5NP13rFYe8dln9dvAKY/a MS1Ghrmvuu2VudoYgPPMXYWnhtrLhxuvLiGUXrKissrBuh3JedDdmSAPNrKxpgVP2m7TrH3u 4FY+MFO+Vv8Z9aGtz5FRdLObgQpq1IyQfoMBJtgqBeqaCkuQGCSJo/UCAwEAAaOCAqUwggKh MA4GA1UdDwEB/wQEAwIFoDCBhAYIKwYBBQUHAQEEeDB2MDAGCCsGAQUFBzABhiRodHRwOi8v Y29tbWVyY2lhbC5vY3NwLmlkZW50cnVzdC5jb20wQgYIKwYBBQUHMAKGNmh0dHA6Ly92YWxp ZGF0aW9uLmlkZW50cnVzdC5jb20vY2VydHMvdHJ1c3RpZGNhYTEyLnA3YzAfBgNVHSMEGDAW gBSkc9rvaTWKdcygGXsIMvhrieRC7DAJBgNVHRMEAjAAMIIBLAYDVR0gBIIBIzCCAR8wggEb BgtghkgBhvkvAAYLATCCAQowSgYIKwYBBQUHAgEWPmh0dHBzOi8vc2VjdXJlLmlkZW50cnVz dC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMIG7BggrBgEFBQcCAjCB rgyBq1RoaXMgVHJ1c3RJRCBDZXJ0aWZpY2F0ZSBoYXMgYmVlbiBpc3N1ZWQgaW4gYWNjb3Jk YW5jZSB3aXRoIApJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmljYXRlIFBvbGljeSBmb3Vu ZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kv dHMvaW5kZXguaHRtbDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vdmFsaWRhdGlvbi5pZGVu dHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTIuY3JsMCcGA1UdEQQgMB6BHGphbHRtYW5Ac2Vj dXJlLWVuZHBvaW50cy5jb20wHQYDVR0OBBYEFM/QuJwMCA6dvJZmfEpnpbYkoY3iMB0GA1Ud JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAuAcupiA1Vgby jH7ldWXvQAHFyI3a2WUfHyPlPkVnFdyRKv8Fo4qwZ6xkHq49lnV6kRKVn88CCFCYb4XOpzUl Q0JXqzD+PYpM90MEixEpFZTVhRnnA9ypB87K16Pq2zEGmC6dyKYFQTS6lWiO5g5/xOPnO6mm mz3lRGXMuLKNSwThnR4fQcFJjV/yuJ0wCdFSHPRflxf3dZ44fkd/AFnA/99w+HpONT94ZR6k foemXuAHnYE9FmOotguxzAIcldwrR795fHTDDyRkiRqwVE7lh5YSkX1kImPMYuDTUw21D7HI mEJsb/+b3HGUpRrnrVOl9UXadEunddldgOp7UB2wUzCCBpEwggR5oAMCAQICEQD53lZ/yU0M d3D5YBtS2hU7MA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVu VHJ1c3QxJzAlBgNVBAMTHklkZW5UcnVzdCBDb21tZXJjaWFsIFJvb3QgQ0EgMTAeFw0xNTAy MTgyMjI1MTlaFw0yMzAyMTgyMjI1MTlaMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVu VHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA0ZFNPM8KJzSSrkvpmtQla3ksT+fq1s9c+Ea3YSC/umUkygSm9UkkOoaoNjKZ oCx3wef1kwC4pQQV2XHk+AKR+7uMvnOCIw2cAVUP0/Kuy4X6miqaXGGVDTqwVjaFuFCRVVDT QoI2BTMpwFQi+O/TjD5+E0+TAZbkzsB7krk4YUbA6hFyT0YboxRUq9M2QHDb+80w53b1UZVO 1HS2Mfk9LnINeyzjxiXU/iENK07YvjBOxbY/ftAYPbv/9cY3wrpqZYHoXZc6B9/8+aVCNA45 FP3k+YuTDC+ZrmePQBLQJWnyS/QrZEdXsaieWUqkUMxPQKTExArCiP61YRYlOIMpKwIDAQAB o4ICgDCCAnwwgYkGCCsGAQUFBwEBBH0wezAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNp YWwub2NzcC5pZGVudHJ1c3QuY29tMEcGCCsGAQUFBzAChjtodHRwOi8vdmFsaWRhdGlvbi5p ZGVudHJ1c3QuY29tL3Jvb3RzL2NvbW1lcmNpYWxyb290Y2ExLnA3YzAfBgNVHSMEGDAWgBTt RBnA0/AGi+6ke75C5yZUyI42djAPBgNVHRMBAf8EBTADAQH/MIIBIAYDVR0gBIIBFzCCARMw ggEPBgRVHSAAMIIBBTCCAQEGCCsGAQUFBwICMIH0MEUWPmh0dHBzOi8vc2VjdXJlLmlkZW50 cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMAMCAQEagapUaGlz IFRydXN0SUQgQ2VydGlmaWNhdGUgaGFzIGJlZW4gaXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0 aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRw czovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXgu aHRtbDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29t L2NybC9jb21tZXJjaWFscm9vdGNhMS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMEMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUpHPa72k1inXMoBl7CDL4a4nkQuwwDQYJ KoZIhvcNAQELBQADggIBAA3hgq7S+/TrYxl+D7ExI1Rdgq8fC9kiT7ofWlSaK/IMjgjoDfBb PGWvzdkmbSgYgXo8GxuAon9+HLIjNv68BgUmbIjwj/SYaVz6chA25XZdjxzKk+hUkqCmfOn/ twQJeRfxHg3I+0Sfwp5xs10YF0RobhrsCRne6OUmh9mph0fE3b21k90OVnx9Hfr+YAV4ISrT A6045zQTKGzb370whliPLFo+hNL6XzEty5hfdFaWKtHIfpE994CLmTJI4SEbWq40d7TpAjCm KCPIVPq/+9GqggGvtakM5K3VXNc9VtKPU9xYGCTDIYoeVBQ65JsdsdyM4PzDzAdINsv4vaF7 yE03nh2jLV7XAkcqad9vS4EB4hKjFFsmcwxa+ACUfkVWtBaWBqN4f/o1thsFJHEAu4Q6oRB6 mYkzqrPigPazF2rgYw3lp0B1gSzCRj+jRtErIVdMPeZ2p5Fdx7SNhBtabuhqmpJkFxwW9SBg 6sHvy0HpzVvEiBpApFKG1ZHXMwzQl+pR8P27wWDsblJU7Qgb8ZzGRK9l5GOFhxtN+oXZ4CCm unLMtaZ2vSai7du/VKrg64GGZNAKerEBevjJVNFgeSnmUK9GB4kCZ7U5NWlU+2H87scntW4Q /0Y6vqQJcJeaMHg/dQnahTQ2p+hB1xJJK32GWIAucTFMSOKLbQHadIOiMYIDFDCCAxACAQEw TjA6MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVzdElE IENBIEExMgIQQAFs/imA9lTMhUDgLPN9ZzANBglghkgBZQMEAgEFAKCCAZcwGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAxMTE3MTc1MzE4WjAvBgkqhkiG 9w0BCQQxIgQgtChUOiKafc1rUqw8areCOO5VSAHf6w2fVArDyH1YFRcwXQYJKwYBBAGCNxAE MVAwTjA6MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVz dElEIENBIEExMgIQQAFs/imA9lTMhUDgLPN9ZzBfBgsqhkiG9w0BCRACCzFQoE4wOjELMAkG A1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUGA1UEAxMOVHJ1c3RJRCBDQSBBMTIC EEABbP4pgPZUzIVA4CzzfWcwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZI AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQBsSNatBlC+Unq2ICsVOGi0 p53sTA21tph5dYT6NBm2tlHWNjws/GEsJ9GbP99E/zrE7Sbro3TOPktlmUjjcmjoNSShTutE GmAIoKxl924EyIqL9eumyHXBTbwmaTmuHe9s/f50w2SAeb2l+raTlCFZ5TDEsFizf1ttb8Ql 9YiDP34j2sez7lpswEpd5YUoG7jS+HULvZgDdZSLA8nVQfPOiHk/J8djq7Ez41NeGEttKduL PPBHflOx3Rvafb+vBaK1wJOOSklZPyk0t/hfUwMBinim/MGhsVLObBJYHT14GTit9y9DKUWS 2+bqDWdiWM061i95bSpqJ/6oUzLXOxBJAAAAAAAA

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Robbie Harwood@21:1/5 to Luke Hebert on Tue Nov 17 12:16:20 2020
    To: kerberos@mit.edu

    Luke Hebert <lhebert@cloudera.com> writes:

    Hi,

    We've just started encountering problems at customer sites with Kerberos enabled clients as a result of how Microsoft appears to be approaching CVE-2020-17049 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The
    details on this CVE are slim on Mitre and there is a small amount of additional information on the microsoft portal. I thought I'd ask the list what their thoughts are on what is being done here. Disabling service
    ticket and tgt renewability is not great and it obviously breaks long
    running processes that rely on renewability of these items. I'm sure we
    could move to an alternate approach where we do not renew these items but rather obtain a new one but the changes are likely non-trivial across many different projects.

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

    *How does this patch affect third-party Kerberos clients?*

    When the registry key is set to 1, patched domain controllers will issue
    service tickets and Ticket-Granting Tickets (TGT)s that are not renewable
    and will refuse to renew existing service tickets and TGTs. Windows clients are not impacted by this since they never renew service tickets or TGTs. Third-party Kerberos clients may fail to renew service tickets or TGTs acquired from unpatched DCs. If all DCs are patched with the registry set
    to 1, third-party clients will no longer receive renewable tickets.

    You're correct that Microsoft has not released details on this issue.

    They have indicated that some failures are a known issue, and claim to
    be working on a fix: https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-20h2#1522msgdesc

    Thanks,
    --Robbie

    -----BEGIN PGP SIGNATURE-----

    iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAl+0BWQACgkQJTL5F2qV pEIxaQ//bME+ItF8IqCzFYSYg6Mv/tMnhDZ/JardO5pZNDorS61TXVE7GIoajJvm njIxr1bduD5o9r8AuA+AIfM/rti/ByggLDnd+mZNaD7zHaXfhUeKgUnE/LJC4Ydv WIh5QErnyM2EAk9PHMLCtoMe24HFtZcrT6dUA+ahCfS9pd5x8QF38TBpJ5cY/hko E8a4kd4fbHM8N8iIxUygUUU2zZl7wXklufwYjoZmrt38i1RI4GDdHnXjfYJH+NXW s8mIfQaJkgTBqs7HTiKB+2ZoWXhrLhRUCxAVwliOkgPfmI7fKvWvL0M2ZNCi2njE Y1shC2fwu0WrMl2/oSVQ7XjKnq4G9GDZ4hvuawRNvg7KiuiKg5CNAaTia0nI8V+D 6mCGshfpHhxxX9xXemjTcG9XK27AmE5PTMPVlTuapushT4IkgUwYw7eAjUoPNpv5 28v1jcp07+A0kiFds/DSoe3N8Wr8G5TIodX/3EFwzux15Ytxxf7wdf9wRc5IeTih S955hsUE1Y5jlYBNVzs+naVSvjLPFFFB/cJDwHuD1TdOglmieN2L2/kMgiN7LS0T RIl0oaaQNyFzPgn+n07tEx+O4DDNFFynRcvMJ0Ji/7E5VXiKWEIcaHWRikawP3Le W3M11YuhtxLAuGyJqIvG0NpxiY0pI1O7K8M+BITd8Bhg58eRIpM=
    =mqyo
    -----END PGP SIGNATURE-----

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Sean Phillips@21:1/5 to lhebert@cloudera.com on Tue Nov 17 13:09:54 2020
    unsubscribe

    On Mon, Nov 16, 2020 at 10:58 AM Luke Hebert <lhebert@cloudera.com> wrote:

    Hi,

    We've just started encountering problems at customer sites with Kerberos enabled clients as a result of how Microsoft appears to be approaching CVE-2020-17049 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The
    details on this CVE are slim on Mitre and there is a small amount of additional information on the microsoft portal. I thought I'd ask the list what their thoughts are on what is being done here. Disabling service
    ticket and tgt renewability is not great and it obviously breaks long
    running processes that rely on renewability of these items. I'm sure we
    could move to an alternate approach where we do not renew these items but rather obtain a new one but the changes are likely non-trivial across many different projects.

    https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049

    *How does this patch affect third-party Kerberos clients?*

    When the registry key is set to 1, patched domain controllers will issue service tickets and Ticket-Granting Tickets (TGT)s that are not renewable
    and will refuse to renew existing service tickets and TGTs. Windows clients are not impacted by this since they never renew service tickets or TGTs. Third-party Kerberos clients may fail to renew service tickets or TGTs acquired from unpatched DCs. If all DCs are patched with the registry set
    to 1, third-party clients will no longer receive renewable tickets.


    *--Luke Hebert* |
    cloudera.com <https://www.cloudera.com> ________________________________________________
    Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeffrey Altman@21:1/5 to " on Tue Nov 17 13:51:42 2020
    To: rharwood@redhat.com (" <rharwood@redhat.com)
    To: kerberos@mit.edu

    On 11/17/2020 1:26 PM, Greg Hudson (ghudson@mit.edu) wrote:
    On 11/17/20 12:53 PM, Jeffrey Altman wrote:
    Just to set the record straight, Kerberos service tickets have never
    been renewable unless they were obtained as initial tickets. Only
    TGTs are renewable. This is true for MIT and Heimdal as well as
    Active Directory.

    Both initial and non-initial non-TGTs are renewable with MIT krb5:

    $ make testrealm
    $ kadmin.local modprinc -maxrenewlife 1d host/small-gods
    $ kadmin.local modprinc -maxrenewlife 1d user
    $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
    $ kinit -S host/small-gods -l 10m -r 20m
    Password for user@KRBTEST.COM:
    $ kinit -R -S host/small-gods
    $ kinit -l 10m -r 20m user
    Password for user@KRBTEST.COM:
    $ kvno host/small-gods
    host/small-gods@KRBTEST.COM: kvno = 1
    $ kinit -R -S host/small-gods
    $

    There is even a messaging service at MIT that makes use of renewable
    service tickets.

    Prior to release 1.9 the MIT krb5 KDC supported renewing service
    tickets, but the client library did not: https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 .

    It used to be the case that "kinit -r" would fail if the requested
    principal was "disallow-renewable". I don't remember if it was because
    the KDC refused to issue any ticket when renewable was requested or if
    it was the client library rejecting the ticket because it didn't satisfy
    the request.

    That was KDC-side. For MIT krb5, the KDC behavior changed in release
    1.12 to just issue a non-renewable ticket in this case.

    Greg,

    Thanks for tracking down the history.

    I'm glad to see that service tickets can be renewed. The lack of that functionality was always frustrating.

    Heimdal should change its behavior to match.

    Jeffrey Altman



    MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC DJowggYBMIIE6aADAgECAhBAAWz+KYD2VMyFQOAs831nMA0GCSqGSIb3DQEBCwUAMDoxCzAJ BgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVuVHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEy MB4XDTE5MDkwNDIxMjM0OFoXDTIyMTEwMjIxMjM0OFowgZUxNTAzBgNVBAsMLFZlcmlmaWVk IEVtYWlsOiBqYWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMSswKQYJKoZIhvcNAQkBFhxq YWx0bWFuQHNlY3VyZS1lbmRwb2ludHMuY29tMS8wLQYKCZImiZPyLGQBARMfQTAxNDEwRDAw MDAwMTZDRkUyOTgwRTQwMDAwMzlFQjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB ALRdw150e8iZjFFewsrI/Q5nQtYINFrVpOdYR5RnrrNUvwRrBkkYcFwNWP/wzHOPiaFgthaX ydoQXKqFH0gZ6EaipfJ1L/r8NKAELVf1mTY7Yw+M6EuApsT9X8Ix6DPyhRc9D/rZ4KuBaszA gdpqdBYkkNlcogKPuM6jCzCHfOW3l9Hj1P98GjLmvhK7bDV56kz5NP13rFYe8dln9dvAKY/a MS1Ghrmvuu2VudoYgPPMXYWnhtrLhxuvLiGUXrKissrBuh3JedDdmSAPNrKxpgVP2m7TrH3u 4FY+MFO+Vv8Z9aGtz5FRdLObgQpq1IyQfoMBJtgqBeqaCkuQGCSJo/UCAwEAAaOCAqUwggKh MA4GA1UdDwEB/wQEAwIFoDCBhAYIKwYBBQUHAQEEeDB2MDAGCCsGAQUFBzABhiRodHRwOi8v Y29tbWVyY2lhbC5vY3NwLmlkZW50cnVzdC5jb20wQgYIKwYBBQUHMAKGNmh0dHA6Ly92YWxp ZGF0aW9uLmlkZW50cnVzdC5jb20vY2VydHMvdHJ1c3RpZGNhYTEyLnA3YzAfBgNVHSMEGDAW gBSkc9rvaTWKdcygGXsIMvhrieRC7DAJBgNVHRMEAjAAMIIBLAYDVR0gBIIBIzCCAR8wggEb BgtghkgBhvkvAAYLATCCAQowSgYIKwYBBQUHAgEWPmh0dHBzOi8vc2VjdXJlLmlkZW50cnVz dC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMIG7BggrBgEFBQcCAjCB rgyBq1RoaXMgVHJ1c3RJRCBDZXJ0aWZpY2F0ZSBoYXMgYmVlbiBpc3N1ZWQgaW4gYWNjb3Jk YW5jZSB3aXRoIApJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmljYXRlIFBvbGljeSBmb3Vu ZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kv dHMvaW5kZXguaHRtbDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vdmFsaWRhdGlvbi5pZGVu dHJ1c3QuY29tL2NybC90cnVzdGlkY2FhMTIuY3JsMCcGA1UdEQQgMB6BHGphbHRtYW5Ac2Vj dXJlLWVuZHBvaW50cy5jb20wHQYDVR0OBBYEFM/QuJwMCA6dvJZmfEpnpbYkoY3iMB0GA1Ud JQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDANBgkqhkiG9w0BAQsFAAOCAQEAuAcupiA1Vgby jH7ldWXvQAHFyI3a2WUfHyPlPkVnFdyRKv8Fo4qwZ6xkHq49lnV6kRKVn88CCFCYb4XOpzUl Q0JXqzD+PYpM90MEixEpFZTVhRnnA9ypB87K16Pq2zEGmC6dyKYFQTS6lWiO5g5/xOPnO6mm mz3lRGXMuLKNSwThnR4fQcFJjV/yuJ0wCdFSHPRflxf3dZ44fkd/AFnA/99w+HpONT94ZR6k foemXuAHnYE9FmOotguxzAIcldwrR795fHTDDyRkiRqwVE7lh5YSkX1kImPMYuDTUw21D7HI mEJsb/+b3HGUpRrnrVOl9UXadEunddldgOp7UB2wUzCCBpEwggR5oAMCAQICEQD53lZ/yU0M d3D5YBtS2hU7MA0GCSqGSIb3DQEBCwUAMEoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVu VHJ1c3QxJzAlBgNVBAMTHklkZW5UcnVzdCBDb21tZXJjaWFsIFJvb3QgQ0EgMTAeFw0xNTAy MTgyMjI1MTlaFw0yMzAyMTgyMjI1MTlaMDoxCzAJBgNVBAYTAlVTMRIwEAYDVQQKEwlJZGVu VHJ1c3QxFzAVBgNVBAMTDlRydXN0SUQgQ0EgQTEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA0ZFNPM8KJzSSrkvpmtQla3ksT+fq1s9c+Ea3YSC/umUkygSm9UkkOoaoNjKZ oCx3wef1kwC4pQQV2XHk+AKR+7uMvnOCIw2cAVUP0/Kuy4X6miqaXGGVDTqwVjaFuFCRVVDT QoI2BTMpwFQi+O/TjD5+E0+TAZbkzsB7krk4YUbA6hFyT0YboxRUq9M2QHDb+80w53b1UZVO 1HS2Mfk9LnINeyzjxiXU/iENK07YvjBOxbY/ftAYPbv/9cY3wrpqZYHoXZc6B9/8+aVCNA45 FP3k+YuTDC+ZrmePQBLQJWnyS/QrZEdXsaieWUqkUMxPQKTExArCiP61YRYlOIMpKwIDAQAB o4ICgDCCAnwwgYkGCCsGAQUFBwEBBH0wezAwBggrBgEFBQcwAYYkaHR0cDovL2NvbW1lcmNp YWwub2NzcC5pZGVudHJ1c3QuY29tMEcGCCsGAQUFBzAChjtodHRwOi8vdmFsaWRhdGlvbi5p ZGVudHJ1c3QuY29tL3Jvb3RzL2NvbW1lcmNpYWxyb290Y2ExLnA3YzAfBgNVHSMEGDAWgBTt RBnA0/AGi+6ke75C5yZUyI42djAPBgNVHRMBAf8EBTADAQH/MIIBIAYDVR0gBIIBFzCCARMw ggEPBgRVHSAAMIIBBTCCAQEGCCsGAQUFBwICMIH0MEUWPmh0dHBzOi8vc2VjdXJlLmlkZW50 cnVzdC5jb20vY2VydGlmaWNhdGVzL3BvbGljeS90cy9pbmRleC5odG1sMAMCAQEagapUaGlz IFRydXN0SUQgQ2VydGlmaWNhdGUgaGFzIGJlZW4gaXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0 aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRw czovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvaW5kZXgu aHRtbDBKBgNVHR8EQzBBMD+gPaA7hjlodHRwOi8vdmFsaWRhdGlvbi5pZGVudHJ1c3QuY29t L2NybC9jb21tZXJjaWFscm9vdGNhMS5jcmwwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUF BwMEMA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUpHPa72k1inXMoBl7CDL4a4nkQuwwDQYJ KoZIhvcNAQELBQADggIBAA3hgq7S+/TrYxl+D7ExI1Rdgq8fC9kiT7ofWlSaK/IMjgjoDfBb PGWvzdkmbSgYgXo8GxuAon9+HLIjNv68BgUmbIjwj/SYaVz6chA25XZdjxzKk+hUkqCmfOn/ twQJeRfxHg3I+0Sfwp5xs10YF0RobhrsCRne6OUmh9mph0fE3b21k90OVnx9Hfr+YAV4ISrT A6045zQTKGzb370whliPLFo+hNL6XzEty5hfdFaWKtHIfpE994CLmTJI4SEbWq40d7TpAjCm KCPIVPq/+9GqggGvtakM5K3VXNc9VtKPU9xYGCTDIYoeVBQ65JsdsdyM4PzDzAdINsv4vaF7 yE03nh2jLV7XAkcqad9vS4EB4hKjFFsmcwxa+ACUfkVWtBaWBqN4f/o1thsFJHEAu4Q6oRB6 mYkzqrPigPazF2rgYw3lp0B1gSzCRj+jRtErIVdMPeZ2p5Fdx7SNhBtabuhqmpJkFxwW9SBg 6sHvy0HpzVvEiBpApFKG1ZHXMwzQl+pR8P27wWDsblJU7Qgb8ZzGRK9l5GOFhxtN+oXZ4CCm unLMtaZ2vSai7du/VKrg64GGZNAKerEBevjJVNFgeSnmUK9GB4kCZ7U5NWlU+2H87scntW4Q /0Y6vqQJcJeaMHg/dQnahTQ2p+hB1xJJK32GWIAucTFMSOKLbQHadIOiMYIDFDCCAxACAQEw TjA6MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVzdElE IENBIEExMgIQQAFs/imA9lTMhUDgLPN9ZzANBglghkgBZQMEAgEFAKCCAZcwGAYJKoZIhvcN AQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMjAxMTE3MTg1MTQzWjAvBgkqhkiG 9w0BCQQxIgQgiNdFkpl7bV/wzCpZJAFukCTWGozbT1M6LN3fCvrGb88wXQYJKwYBBAGCNxAE MVAwTjA6MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQDEw5UcnVz dElEIENBIEExMgIQQAFs/imA9lTMhUDgLPN9ZzBfBgsqhkiG9w0BCRACCzFQoE4wOjELMAkG A1UEBhMCVVMxEjAQBgNVBAoTCUlkZW5UcnVzdDEXMBUGA1UEAxMOVHJ1c3RJRCBDQSBBMTIC EEABbP4pgPZUzIVA4CzzfWcwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZI AWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUr DgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0BAQEFAASCAQA1pXIsAEjXH3led1xxC4Ii ctC7bVy4Z1hMKmJ25JtNPMw+e1KJ34juAlAO9kL2J0wBXkiTSO1AhupbU7RkgPRGvVjzLb2E rV4mKMZgxszP3+zVqrNffRZuRdCh877KLq3W2ySYyVobnuxopOglyC+pIHyg/AdiH+KbHupt u+rXY8m/TEgMEDbgVWBHRSVXevX5d6jpQDDDzkC3rnFNih1qSKc+6SoZwi49R9CugGlJisDd dyA3OEUZG4/EvsRf44ajx7ZPSeg197A3uoYZtvKTbG1c8lAcd56xb/4YzL4i0m5rcVTJZwf5 rHp03+qwZGIci0FQO0TA1fF1ZwN3tdYnAAAAAAAA

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeffrey T. Hutzelman@21:1/5 to Jeffrey Altman on Tue Nov 17 19:10:25 2020
    To: ghudson@mit.edu (" <ghudson@mit.edu)
    To: rharwood@redhat.com (" <rharwood@redhat.com)
    To: kerberos@mit.edu (kerberos@mit.edu)

    Hrm. RFC4120 is fairly explicit on how the KDC processing works for a request to renew a service ticket. In particular, it contemplates a TGS_REQ in which "the accompanying ticket is not a TGT for the current realm, but is for an application server in
    the current realm", and describes under what conditions the TGS may decrypt and process such a request.


    Oddly, the language describing how the RENEWABLE flag gets set in the first place is only present in the section on AS_REQ processing. Apparently we left that bit out. :-(


    -- Jeff

    ________________________________
    From: kerberos-bounces@mit.edu <kerberos-bounces@mit.edu> on behalf of Jeffrey Altman <jaltman@secure-endpoints.com>
    Sent: Tuesday, November 17, 2020 1:51 PM
    To: Greg Hudson (ghudson@mit.edu); Robbie Harwood (rharwood@redhat.com); kerberos@mit.edu
    Subject: Re: CVE-2020-17049

    On 11/17/2020 1:26 PM, Greg Hudson (ghudson@mit.edu) wrote:
    On 11/17/20 12:53 PM, Jeffrey Altman wrote:
    Just to set the record straight, Kerberos service tickets have never
    been renewable unless they were obtained as initial tickets. Only
    TGTs are renewable. This is true for MIT and Heimdal as well as
    Active Directory.

    Both initial and non-initial non-TGTs are renewable with MIT krb5:

    $ make testrealm
    $ kadmin.local modprinc -maxrenewlife 1d host/small-gods
    $ kadmin.local modprinc -maxrenewlife 1d user
    $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
    $ kinit -S host/small-gods -l 10m -r 20m
    Password for user@KRBTEST.COM:
    $ kinit -R -S host/small-gods
    $ kinit -l 10m -r 20m user
    Password for user@KRBTEST.COM:
    $ kvno host/small-gods
    host/small-gods@KRBTEST.COM: kvno = 1
    $ kinit -R -S host/small-gods
    $

    There is even a messaging service at MIT that makes use of renewable
    service tickets.

    Prior to release 1.9 the MIT krb5 KDC supported renewing service
    tickets, but the client library did not: https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 .

    It used to be the case that "kinit -r" would fail if the requested
    principal was "disallow-renewable". I don't remember if it was because
    the KDC refused to issue any ticket when renewable was requested or if
    it was the client library rejecting the ticket because it didn't satisfy
    the request.

    That was KDC-side. For MIT krb5, the KDC behavior changed in release
    1.12 to just issue a non-renewable ticket in this case.

    Greg,

    Thanks for tracking down the history.

    I'm glad to see that service tickets can be renewed. The lack of that functionality was always frustrating.

    Heimdal should change its behavior to match.

    Jeffrey Altman

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Greg Hudson@21:1/5 to Jeffrey Altman on Tue Nov 17 13:26:27 2020
    To: rharwood@redhat.com (" <rharwood@redhat.com)
    To: lhebert@cloudera.com (Luke Hebert)
    To: kerberos@mit.edu

    On 11/17/20 12:53 PM, Jeffrey Altman wrote:
    Just to set the record straight, Kerberos service tickets have never
    been renewable unless they were obtained as initial tickets. Only
    TGTs are renewable. This is true for MIT and Heimdal as well as
    Active Directory.

    Both initial and non-initial non-TGTs are renewable with MIT krb5:

    $ make testrealm
    $ kadmin.local modprinc -maxrenewlife 1d host/small-gods
    $ kadmin.local modprinc -maxrenewlife 1d user
    $ kadmin.local modprinc -maxrenewlife 1d krbtgt/KRBTEST.COM
    $ kinit -S host/small-gods -l 10m -r 20m
    Password for user@KRBTEST.COM:
    $ kinit -R -S host/small-gods
    $ kinit -l 10m -r 20m user
    Password for user@KRBTEST.COM:
    $ kvno host/small-gods
    host/small-gods@KRBTEST.COM: kvno = 1
    $ kinit -R -S host/small-gods
    $

    There is even a messaging service at MIT that makes use of renewable
    service tickets.

    Prior to release 1.9 the MIT krb5 KDC supported renewing service
    tickets, but the client library did not: https://krbdev.mit.edu/rt/Ticket/Display.html?id=6699 .

    It used to be the case that "kinit -r" would fail if the requested
    principal was "disallow-renewable". I don't remember if it was because
    the KDC refused to issue any ticket when renewable was requested or if
    it was the client library rejecting the ticket because it didn't satisfy
    the request.

    That was KDC-side. For MIT krb5, the KDC behavior changed in release
    1.12 to just issue a non-renewable ticket in this case.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From James Ralston@21:1/5 to lhebert@cloudera.com on Tue Nov 17 14:19:56 2020
    On Mon, Nov 16, 2020 at 10:48 AM Luke Hebert <lhebert@cloudera.com> wrote:

    We've just started encountering problems at customer sites with
    Kerberos enabled clients as a result of how Microsoft appears to be approaching CVE-2020-17049 <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The
    details on this CVE are slim on Mitre and there is a small amount of additional information on the microsoft portal. I thought I'd ask
    the list what their thoughts are on what is being done here.
    Disabling service ticket and tgt renewability is not great and it
    obviously breaks long running processes that rely on renewability of
    these items.

    I believe we are being bitten by this change as well. Here’s what we
    see.

    I perform an initial kinit, and request a renewable ticket:

    $ kinit username@EXAMPLE.ORG
    Password for username@EXAMPLE.ORG:

    As klist shows, the ticket is renewable:

    $ klist -f
    Ticket cache: KCM:2000:78917
    Default principal: username@EXAMPLE.ORG

    Valid starting Expires Service principal
    2020-11-13 13:15:57 2020-11-14 13:15:50 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
    renew until 2020-11-20 13:15:50, Flags: FRIA

    Decoding the Flags field:

    +------+------------------+
    | flag | meaning |
    +------+------------------+
    | F | Forwardable |
    | R | Renewable |
    | I | Initial |
    | A | preAuthenticated |
    +------+------------------+

    But attempting to renew this ticket throws an error:

    $ kinit -R
    kinit: KDC can't fulfill requested option while renewing credentials

    From packet tracing, the TGS-REQ packet contains the following options:

    kdc-options: 40800002
    .1.. .... = forwardable: True
    1... .... = renewable: True
    .... ..1. = renew: True

    This is exactly what a renewal request should contain: a renew request
    (renew: True) using a non-expired renewable ticket (renewable: True).

    But the reply from the server is KRB-ERROR, and contains:

    krb-error
    msg-type: krb-error (30)
    error-code: eRR-BADOPTION (13)

    Curiously, we have multiple AD realms, and not all of them show this
    problem, despite the fact that our Windows admins assert that all
    realms received the Microsoft updates that contain the fix for
    CVE-2020-17049.

    I’ve asked our Windows admins to enumerate what the
    PerformTicketSignature registry keys are set to for all of our DCs,
    for all realms.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)