[16090] in Kerberos-V5-bugs

home help back first fref pref prev next nref lref last post

[krbdev.mit.edu #8718] krb5_get_credentials incorrectly matches user

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Fri Aug 3 10:43:01 2018

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8718@krbdev.mit.edu>
Message-ID: <rt-8718-48734.7.87207763881099@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8718'":;
Date: Fri,  3 Aug 2018 10:37:40 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

I am inclined towards option 1, because a user-to-user credential is 
not useful if you are looking for a regular ticket.

However, it seems that we also tag constrained delegation (S4U2Proxy) 
results with the is_skey flag, because kdcrep2creds() just checks 
whether there was a second ticket in the request to set that flag.  
So if we always apply the is_skey field match, we break caching of 
S4U2Proxy results, causing a test failure (t_s4u.py runs t_s4u, which 
fails in check_ticket_count()).

I think setting the is_skey field for S4U2Proxy results is a bug, 
since the is_skey field is documented as "true if the ticket is 
encrypted in another ticket's skey", and tickets resulting from 
S4U2Proxy are encrypted in the service's long-term key.  So I will 
look into fixing that bug first.
krb5-bugs mailing list

home help back first fref pref prev next nref lref last post