[607] in Kerberos-V5-bugs
Forwarding of Credentials Across Realms
daemon@ATHENA.MIT.EDU (Doug Engert)
Thu Jul 28 14:20:04 1994
Date: Thu, 28 Jul 94 13:19:49 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <krb5-bugs@MIT.EDU>
Cc: <auth-pilot@es.net>
While trying to get forwarding of credentials to work across
realms, I ran across two problems which prevented it from
working.
(1) lib/krb5/ccache/file/fcc_retrv.c has a routine srvname_match
which is proceeded by the comment:
/* only match the server name portion, not the server realm portion */
But it calls
krb5_principal_compare(mcreds->server,creds->server)
to compare the full name. This appears to be an error. Attached
is a context diff files which solves the problem. (There are
probably better ways to do this.) It looks like
lib/krb5/ccache/stdio/scc_retrv.c has the same problem but I have
no way to test it.
(2) appl/bsd/forward.c has a call to krb5_send_tgs where it
passes creds.server. It looks like it should pass tgt.server,
since with call to krb5_cc_retrieve_cred with the
KRB5_TC_MATCH_SRV_NAMEONLY option returns a server with a
different realm. appl/telnet/libtelnet/forward.c appears to have
the same problem. (I have not tested it.)
With these changes, I am able to forward credentials across
realms, and use them with a modified aklog to get AFS tokens
for a local or remote cell. (I moved the changes I had in
krb425/get_cred.c to aklog_param.c.)
----- ------ ----- ----- ----- ----- ----- ----- ----- -----
*** ,fcc_retrv.c Tue Jun 28 17:10:17 1994
--- fcc_retrv.c Thu Jul 28 09:15:38 1994
***************
*** 179,189 ****
srvname_match(mcreds, creds)
register const krb5_creds *mcreds, *creds;
{
krb5_boolean retval;
retval = krb5_principal_compare(mcreds->client,creds->client);
if (retval != TRUE)
return retval;
! return krb5_principal_compare(mcreds->server, creds->server);
}
static krb5_boolean
--- 179,215 ----
srvname_match(mcreds, creds)
register const krb5_creds *mcreds, *creds;
{
+ krb5_data saver;
krb5_boolean retval;
retval = krb5_principal_compare(mcreds->client,creds->client);
if (retval != TRUE)
return retval;
!
! /* ANL - looks like this compares the realm as well dispite
! * what the comments above says. So for a test lets make sure
! * the realms are the same. There should probably be a
! * krb5_principal_compare_nameonly routine.
! * This should allow forwarding of creds across realms
! * which fails without this change. DEE 07/27/94
! *
! * return krb5_principal_compare(mcreds->server, creds->server);
! */
!
! saver.length = krb5_princ_realm(mcreds->server)->length;
! saver.data = krb5_princ_realm(mcreds->server)->data;
!
! krb5_princ_set_realm_length(mcreds->server,
! krb5_princ_realm(creds->server)->length);
! krb5_princ_set_realm_data(mcreds->server,
! krb5_princ_realm(creds->server)->data);
!
! retval = krb5_principal_compare(mcreds->server, creds->server);
!
! krb5_princ_set_realm_length(mcreds->server, saver.length);
! krb5_princ_set_realm_data(mcreds->server, saver.data);
!
! return retval;
!
}
static krb5_boolean
----- ------ ----- ----- ----- ----- ----- ----- ----- -----
*** ,forward.c Tue Jun 28 17:06:53 1994
--- forward.c Thu Jul 28 10:37:53 1994
***************
*** 170,176 ****
kdcoptions &= ~(KDC_OPT_FORWARDABLE);
if (retval = krb5_send_tgs(kdcoptions, &creds.times, etype, sumtype,
! creds.server,
addrs,
creds.authdata,
0, /* no padata */
--- 170,176 ----
kdcoptions &= ~(KDC_OPT_FORWARDABLE);
if (retval = krb5_send_tgs(kdcoptions, &creds.times, etype, sumtype,
! tgt.server,
addrs,
creds.authdata,
0, /* no padata */
----- ----- ----- ----- ----- ----- ----- ----- ----- ----- -----
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
