[11671] in Kerberos-V5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #6764] has_mandatory_for_kdc_authdata checks only

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Sep 2 11:39:30 2010

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6764@krbdev.mit.edu>
Message-ID: <rt-6764-33110.13.3712186029992@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6764'":;"'AdminCc of krbdev.mit.edu Ticket #6764'":;@MIT.EDU
Date: Thu,  2 Sep 2010 11:39:27 -0400 (EDT)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu

A brief security analysis:

For application servers, authdata elements are supposed to be mandatory 
by default, meaning the server should reject the request if it doesn't 
understand the authdata.  For KDCs, authdata elements are only mandatory 
if they are embedded in a MANDATORY-FOR-KDC container.

Because of this bug, the KDC might not properly reject a request which 
contains a MANDATORY-FOR-KDC container.  This is no worse than the 
behavior in 1.7 and prior, so this does not constitute a serious security 
issue.  I'm not aware of any defined authdata types which make use of 
MANDATORY-FOR-KDC.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[11671] in Kerberos-V5-bugs

[krbdev.mit.edu #6764] has_mandatory_for_kdc_authdata checks only

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)Thu Sep 2 11:39:30 2010

daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Thu Sep 2 11:39:30 2010