in Kerberos-V5-bugs
[krbdev.mit.edu #8718] krb5_get_credentials incorrectly matches user
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Fri Aug 3 10:43:01 2018
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8718'":;
Date: Fri, 3 Aug 2018 10:37:40 -0400 (EDT)
Content-Type: text/plain; charset="us-ascii"
I am inclined towards option 1, because a user-to-user credential is
not useful if you are looking for a regular ticket.
However, it seems that we also tag constrained delegation (S4U2Proxy)
results with the is_skey flag, because kdcrep2creds() just checks
whether there was a second ticket in the request to set that flag.
So if we always apply the is_skey field match, we break caching of
S4U2Proxy results, causing a test failure (t_s4u.py runs t_s4u, which
fails in check_ticket_count()).
I think setting the is_skey field for S4U2Proxy results is a bug,
since the is_skey field is documented as "true if the ticket is
encrypted in another ticket's skey", and tickets resulting from
S4U2Proxy are encrypted in the service's long-term key. So I will
look into fixing that bug first.
krb5-bugs mailing list