[16351] in Kerberos-V5-bugs
[krbdev.mit.edu #8479] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Mon Sep 9 10:34:06 2019
From: "Greg Hudson via RT" <rt@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.4-21942-1568039604-1684.8479-5-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8479":;
Date: Mon, 09 Sep 2019 10:33:25 -0400
MIME-Version: 1.0
Reply-To: rt@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8479 >
S4U2Proxy evidence tickets needn't be forwardable
With the introduction of resource-based constrained delegation, the
absence of the forwardable flag no longer implies that a ticket cannot
be used for constrained delegation requests.
Instead, we should check in the PAC to see if the user is marked as
sensitive, and error out in that case rather than making a failed
request. But we don't always have access to the PAC and we currently
do not have the code to retrieve this attribute from the PAC.
Since krb5_get_credentials_for_proxy() no longer needs to look at the
decrypted ticket, change kvno to not require a keytab for constrained
delegation.
[ghudson@mit.edu: made minor style changes and commit message edits;
updated documentation]
https://github.com/krb5/krb5/commit/e131d339b81a22bfc91ab96990c3be9e7779200e
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: e131d339b81a22bfc91ab96990c3be9e7779200e
Branch: master
doc/appdev/gssapi.rst | 35 ++++++++++---------------
src/clients/kvno/kvno.c | 40 ++++++++++++++---------------
src/lib/gssapi/krb5/accept_sec_context.c | 3 +-
src/lib/gssapi/krb5/init_sec_context.c | 1 -
src/lib/gssapi/krb5/s4u_gss_glue.c | 14 ++--------
src/lib/krb5/krb/s4u_creds.c | 16 +++--------
src/tests/gssapi/t_s4u.py | 25 ++++++++----------
7 files changed, 53 insertions(+), 81 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
