unsubscribe On Mon, Nov 16, 2020 at 10:58 AM Luke Hebert <lheb...@cloudera.com> wrote:
> Hi, > > We've just started encountering problems at customer sites with Kerberos > enabled clients as a result of how Microsoft appears to be approaching > CVE-2020-17049 > <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The > details on this CVE are slim on Mitre and there is a small amount of > additional information on the microsoft portal. I thought I'd ask the list > what their thoughts are on what is being done here. Disabling service > ticket and tgt renewability is not great and it obviously breaks long > running processes that rely on renewability of these items. I'm sure we > could move to an alternate approach where we do not renew these items but > rather obtain a new one but the changes are likely non-trivial across many > different projects. > > https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049 > > >> *How does this patch affect third-party Kerberos clients?* > > >> When the registry key is set to 1, patched domain controllers will issue > service tickets and Ticket-Granting Tickets (TGT)s that are not renewable > and will refuse to renew existing service tickets and TGTs. Windows clients > are not impacted by this since they never renew service tickets or TGTs. > Third-party Kerberos clients may fail to renew service tickets or TGTs > acquired from unpatched DCs. If all DCs are patched with the registry set > to 1, third-party clients will no longer receive renewable tickets. > > > *--Luke Hebert* | > cloudera.com <https://www.cloudera.com> > ________________________________________________ > Kerberos mailing list Kerberos@mit.edu > https://mailman.mit.edu/mailman/listinfo/kerberos > ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
