[3696] in Kerberos-V5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #1202] KDC rejects unknown flags

daemon@ATHENA.MIT.EDU (Ken Raeburn via RT)
Thu Dec 12 20:36:06 2002

Mail-Followup-To: rt@krbdev.mit.edu
Message-Id: <rt-1202-3772.18.7543915556115@krbdev.mit.edu>
In-Reply-To: <rt-1202@krbdev.mit.edu>
From: "Ken Raeburn via RT" <rt-comment@krbdev.mit.edu>
Reply-To: rt-comment@krbdev.mit.edu
Mail-Copies-To: never
To: kenh@mit.edu
Cc: krb5-prs@mit.edu
Errors-To: krb5-bugs-admin@mit.edu
Date: Thu, 12 Dec 2002 20:35:02 -0500 (EST)

[hartmans - Thu Dec 12 17:22:45 2002]:

> Love points out that our KDC also rejects the disabled transited check
> option which it does understand.

Yes, that's part of the protection against exploitation of the old
chk_trans.c bug.  We shouldn't make the KDC obey this flag
unconditionally without warning admins that they'll need to upgrade
servers that are too old.  (Not obeying but not rejecting would probably
be okay.)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
http://mailman.mit.edu/mailman/listinfo/krb5-bugs


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[3696] in Kerberos-V5-bugs

[krbdev.mit.edu #1202] KDC rejects unknown flags

daemon@ATHENA.MIT.EDU (Ken Raeburn via RT)Thu Dec 12 20:36:06 2002

daemon@ATHENA.MIT.EDU (Ken Raeburn via RT)
Thu Dec 12 20:36:06 2002