[39425] in Kerberos
Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Apr 30 18:03:20 2024
Message-ID: <992e2dea-dbd3-4f43-8b2a-7f4c8a6004c8@mit.edu>
Date: Tue, 30 Apr 2024 18:01:51 -0400
MIME-Version: 1.0
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, James Ralston <ralston@pobox.com>
Cc: kerberos@mit.edu
Content-Language: en-US
From: "Greg Hudson" <ghudson@mit.edu>
In-Reply-To: <202404301649.43UGnfNE028201@hedwig.cmf.nrl.navy.mil>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: kerberos-bounces@mit.edu
On 4/30/24 12:49, Ken Hornstein via Kerberos wrote:
> First off, I would advise you to NOT look at upstream Heimdal, because
> that's not helpful because it's not actually the code in question.
> Instead maybe look at the actual Heimdal source code used on MacOS X?
To expand on this: the Apple forks of open-source projects are available
at opensource.apple.com, and at
https://github.com/apple-oss-distributions (not sure if the latter is
official or community-maintained).
I looked at the Apple fork of Heimdal and didn't find any obvious code
change to honor ok-as-delegate by default. In fact, it doesn't even
implement enforce_ok_as_delegate. But both versions do implement a
ccache config setting called "realm-config" and enforce ok-as-delegate
if the 1 bit is set in the first byte of the value. Nothing in Heimdal
or Apple's fork of it sets realm-config, but the macOS native ccache
implementation or login system might do so. James could perhaps this
test theory by setting KRB5CCNAME to FILE:something, running kinit -f,
and seeing if ssh will forward those tickets.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos