[39426] in Kerberos
Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol
daemon@ATHENA.MIT.EDU (Ken Hornstein via Kerberos)
Tue Apr 30 20:34:28 2024
Message-Id: <202405010033.4410X0uE000445@hedwig.cmf.nrl.navy.mil>
To: kerberos@mit.edu
In-Reply-To: <992e2dea-dbd3-4f43-8b2a-7f4c8a6004c8@mit.edu>
MIME-Version: 1.0
Date: Tue, 30 Apr 2024 20:32:57 -0400
From: Ken Hornstein via Kerberos <kerberos@mit.edu>
Reply-To: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
>I looked at the Apple fork of Heimdal and didn't find any obvious code
>change to honor ok-as-delegate by default. In fact, it doesn't even
>implement enforce_ok_as_delegate. But both versions do implement a
>ccache config setting called "realm-config" and enforce ok-as-delegate
>if the 1 bit is set in the first byte of the value. Nothing in Heimdal
>or Apple's fork of it sets realm-config, but the macOS native ccache
>implementation or login system might do so.
You missed this code in kuser/kinit.c:
if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
unsigned char d = 0;
krb5_data data;
if (ok_as_delegate_flag || windows_flag)
d |= 1;
if (use_referrals_flag || windows_flag)
d |= 2;
data.length = 1;
data.data = &d;
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
However, if I run "kinit --ok-as-delegate" in my MIT-based realm, using
the MacOS X ssh client, "ssh -K foo'" still delegates a credential fine,
so something else is clearly going on.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos