[614] in Kerberos-V5-bugs
More on Shortcuts
daemon@ATHENA.MIT.EDU (Doug Engert)
Tue Aug 2 12:51:40 1994
Date: Tue, 02 Aug 94 11:51:09 CDT
From: "Doug Engert" <DEEngert@anl.gov>
To: <BCN@ISI.EDU>
Cc: <KRB5-BUGS@MIT.EDU>, <AUTH-PILOT@ES.NET>
>> Date: Tue, 2 Aug 1994 07:10:08 -0700
>> From: Clifford Neuman <bcn@ISI.EDU>
>> Look at the top of lib/krb5/krb/gc_frm_kdc.c for a CyberSAFE
>> copyright notice.
Yes it is there.
>> You are correct, it would not handle the above situation because the
>> path is determined by the names of the realms. I think that it would
>> be worthwhile to include your changes to support this. I would prefer
>> that it not be called shortcut, since that implies (not from the
>> dictionary meaning, but the way I use it) bypassing parts of the
>> hierarchy. Instead I would call it something like
>> CONFIGURABLE_AUTHENTICATION_PATH.
Yes, I would like to see it included as well, since it solves a
practical problem. (It introduces another, since you must maintain
the configuration file. But since every client has to have
a krb.conf file with every realm already defined, if it changes
change the shortcut file as well.)
I called it "shortcuts" back on April 1 in a note to
the kerberos@mit.edu list. I had the code working with
Kerberos 5.3 along some other changes to get cross
realm working. I submitted these in changes in early June.)
You can call it and the configuration file anything you want,
just so long as the function is there.
>> How is it that you validate the authentication path on the server
>> side. In particular, if you stay within the hierarchy defined by
>> the old walk_rtree, only skipping hops, it is easy to define a policy
>> that says what is allowed in the transmitted field. Once you allow
>> other realms to be involved, you need to guard against realms that
>> shouldn't be involved appearing in that path. That is a policy
>> decision on the application-server side.
Good point. The KDCs in do_tgs_req.c use the modified walk_rtree
routine, and should be using the same path list as the client,
since it is using the shortcut configuration file.
I don't believe that this introduces any new problems with
validation. If need be, the application-server could also use the
modified walk_rtree routine to verify the path.
With or without either my mods or the CyberSAFE mods, the user on
the client can modify the code to try and get tickets from any
KDC he wants. Is there any code in 5.4.1 in any of the
applications which checks the transited field?
Douglas E. Engert
Systems Programming
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(708) 252-5444
Internet: DEEngert@anl.gov
