[16150] in Kerberos_V5_Development
Re: Patch to ignore service principals when accepting connexions.
daemon@ATHENA.MIT.EDU (Luke Howard)
Wed Aug 25 18:11:38 2010
Mime-Version: 1.0 (Apple Message framework v1081)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <tsl8w3uwdr6.fsf@mit.edu>
Date: Thu, 26 Aug 2010 00:11:29 +0200
Message-Id: <68C4ED17-729E-4034-9BCB-1F169D407CD1@padl.com>
To: Sam Hartman <hartmans@painless-security.com>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
> Taking a look at the code, we only seem to use the service name in the
> ticket if the keytab operations vector doesn't include sequential gets.
> That's only true for the kdb keytab.
>From rd_req_dec.c:
if (server != NULL || keytab->ops->start_seq_get == NULL) {
...
Server is NULL for the default acceptor identity, this happens iff the acceptor credential is:
(a) GSS_C_NO_CREDENTIAL or
(b) a credential acquired for GSS_C_NO_NAME
>From src/lib/gssapi/krb5/accept_sec_context.c:
if ((code = krb5_rd_req(context, &auth_context, &ap_req,
cred->default_identity ? NULL : cred->name->princ,
cred->keytab,
&ap_req_options,
&ticket))) {
...
(Really, (a) is a case of (b). See cred->default_identity being set in acquire_cred.c.)
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
