[11136] in Kerberos-V5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #6555] k5_pac_validate_client()

daemon@ATHENA.MIT.EDU (Luke Howard via RT)
Tue Sep 1 21:30:37 2009

Mail-Followup-To: rt@krbdev.mit.edu
mail-copies-to: never
From: "Luke Howard via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6555@krbdev.mit.edu>
Message-ID: <rt-6555-31663.8.80077926036371@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6555'":;"'AdminCc of krbdev.mit.edu Ticket #6555'":;@MIT.EDU
Date: Wed,  2 Sep 2009 01:30:13 +0000 (UTC)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

> Bug in 1.7 in k5_pac_validate_client(), in 1.7. It would be nice to  
> fix this for 1.7.1.
>
> The issue is that PACs from principals in different realms to the  
> service fail to validate.
>
> The fix to pac.c is to ignore the realm component (because the  
> principal name in the PAC is unqualified):
>
>     if (pac_authtime != authtime ||
>         !krb5_principal_compare_flags(context,
>                                       pac_principal,
>                                       principal,
>                                        
> KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
>         ret = KRB5KRB_AP_WRONG_PRINC;
>
> -- Luke
> --
> www.padl.com | www.fghr.net


_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[11136] in Kerberos-V5-bugs

[krbdev.mit.edu #6555] k5_pac_validate_client()

daemon@ATHENA.MIT.EDU (Luke Howard via RT)Tue Sep 1 21:30:37 2009

daemon@ATHENA.MIT.EDU (Luke Howard via RT)
Tue Sep 1 21:30:37 2009