[3566] in Kerberos-V5-bugs
Re: [krbdev.mit.edu #1230] Transited realm handling
daemon@ATHENA.MIT.EDU (Tom Yu via RT)
Tue Oct 29 18:25:21 2002
Message-Id: <rt-1230-3247.5.40781767554066@krbdev.mit.edu>
In-Reply-To: <rt-1230@krbdev.mit.edu>
From: "Tom Yu via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
To: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Tue, 29 Oct 2002 18:23:09 -0500 (EST)
>>>>> "hartmans" == Sam Hartman <hartmans@MIT.EDU> writes:
hartmans> We could include an additional fix to better deal with
hartmans> encodings that include a trailing null received from other
hartmans> KDCs.
I would support ignoring of NULs in the transited field.
hartmans> The disadvantage is that we would consider realms differing
hartmans> only in a trailing null character the same for trust
hartmans> comparisons. Also, it is not clear how useful the fix will
hartmans> be since I think our current KDC code will always force a
hartmans> non-null transited encoding to fail the cross-realm policy
hartmans> check.
RFC 1510 forbade NULs in realm names, so this shouldn't create a
security issue. Failing to ignore NULs in transited fields basically
forces all realms involved in a transitive cross-realm authentication
to be running code that doesn't insert the NUL characters.
---Tom
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs
