[16090] in Kerberos-V5-bugs
[krbdev.mit.edu #8718] krb5_get_credentials incorrectly matches user
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Fri Aug 3 10:43:01 2018
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To: <rt-8718@krbdev.mit.edu>
Message-ID: <rt-8718-48734.7.87207763881099@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #8718'":;
Date: Fri, 3 Aug 2018 10:37:40 -0400 (EDT)
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
I am inclined towards option 1, because a user-to-user credential is
not useful if you are looking for a regular ticket.
However, it seems that we also tag constrained delegation (S4U2Proxy)
results with the is_skey flag, because kdcrep2creds() just checks
whether there was a second ticket in the request to set that flag.
So if we always apply the is_skey field match, we break caching of
S4U2Proxy results, causing a test failure (t_s4u.py runs t_s4u, which
fails in check_ticket_count()).
I think setting the is_skey field for S4U2Proxy results is a bug,
since the is_skey field is documented as "true if the ticket is
encrypted in another ticket's skey", and tickets resulting from
S4U2Proxy are encrypted in the service's long-term key. So I will
look into fixing that bug first.
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs