[3378] in Kerberos-V5-bugs

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

krb5-kdc/1149: KDC client lockout for DISALLOW_ALL_TIX or expiration

daemon@ATHENA.MIT.EDU (tlyu@mit.edu)
Fri Aug 16 17:02:26 2002

Resent-From: gnats@rt-11.mit.edu (GNATS Management)
Resent-To: krb5-unassigned@rt-11.mit.edu
Resent-Reply-To: krb5-bugs@mit.edu, tlyu@mit.edu
Message-Id: <200208162100.RAA29599@saint-elmos-fire.mit.edu>
From: tlyu@mit.edu
Reply-To: tlyu@mit.edu
To: krb5-bugs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Fri, 16 Aug 2002 17:00:27 -0400 (EDT)


>Number:         1149
>Category:       krb5-kdc
>Synopsis:       KDC client lockout for DISALLOW_ALL_TIX or expiration
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    krb5-unassigned
>State:          open
>Class:          sw-bug
>Submitter-Id:   unknown
>Arrival-Date:   Fri Aug 16 17:01:00 EDT 2002
>Last-Modified:
>Originator:     Tom Yu
>Organization:
mit
>Release:        1.2.6
>Environment:
	
System: SunOS saint-elmos-fire.mit.edu 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4

>Description:
	The KDC doesn't check the client principal for
DISALLOW_ALL_TIX or for expiration.  This happens while handling krb5
TGS_REQ or krb4 APPL_REQ, or when converting a krb5 ticket to krb4.

>How-To-Repeat:
	
>Fix:
	Code needs to be written to check for the local realm in the
client principal, and to do the lookup and flag/expiration check.
>Audit-Trail:
>Unformatted:
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs

home	help	back	first	fref	pref	prev	next	nref	lref	last	post