[16088] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8718] krb5_get_credentials incorrectly matches user

daemon@ATHENA.MIT.EDU (Todd Lubin via RT)
Wed Aug 1 09:59:58 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Todd Lubin via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8718@krbdev.mit.edu>
Message-ID: <rt-8718-48729.8.54963567116336@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8718'":;
Date: Wed,  1 Aug 2018 09:59:44 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

It seems like there is no way to instruct krb5_get_credentials not to use a
cached user-to-user ticket for a particular service principal.

When you pass in KRB5_GC_USER_USER, there is care taken to ensure only a
user-to-user ticket is selected. However, the lack of that flag doesn't
prevent a user-to-user ticket from being selected from the cache.

It seems like either:
1) the lack of KRB5_GC_USER_USER should only match standard tickets
2) there should be some other flag introduced to express this desire

krb5-bugs mailing list

home help back first fref pref prev next nref lref last post