[16149] in Kerberos_V5_Development
Re: Patch to ignore service principals when accepting connexions.
daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Aug 25 18:04:35 2010
From: Sam Hartman <hartmans@painless-security.com>
To: Luke Howard <lukeh@padl.com>
Date: Wed, 25 Aug 2010 18:04:13 -0400
In-Reply-To: <3C53C7CD-D40A-46E4-9264-F0338E98353F@padl.com> (Luke Howard's
message of "Wed, 25 Aug 2010 23:59:08 +0200")
Message-ID: <tsl8w3uwdr6.fsf@mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Luke" == Luke Howard <lukeh@padl.com> writes:
>> We introduced a behavior change in 1.7 so that application no longer
>> examine the service name encoded in a ticket; instead, they look at
>> whether the key matches. This means that you can have KDC-side aliases
Luke> Only if the service passes in GSS_C_NO_CREDENTIAL.
Are you sure?
I thought we always ignored the ticket name, but we did require that the
name stored in the keytab match the name passed in by the application.
Taking a look at the code, we only seem to use the service name in the
ticket if the keytab operations vector doesn't include sequential gets.
That's only true for the kdb keytab.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
