[16153] in Kerberos_V5_Development

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Patch to ignore service principals when accepting connexions.

daemon@ATHENA.MIT.EDU (Sam Hartman)
Wed Aug 25 19:12:11 2010

From: Sam Hartman <hartmans@painless-security.com>
To: Luke Howard <lukeh@padl.com>
Date: Wed, 25 Aug 2010 19:11:50 -0400
In-Reply-To: <68C4ED17-729E-4034-9BCB-1F169D407CD1@padl.com> (Luke Howard's
	message of "Thu, 26 Aug 2010 00:11:29 +0200")
Message-ID: <tslzkwauw21.fsf@mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

>>>>> "Luke" == Luke Howard <lukeh@padl.com> writes:

    >> Taking a look at the code, we only seem to use the service name in the
    >> ticket if the keytab operations vector doesn't include sequential gets.
    >> That's only true for the kdb keytab.


    Luke> From rd_req_dec.c:

    Luke> if (server != NULL || keytab->ops->start_seq_get == NULL) {
    Luke> ...


Yes, but a couple of lines down:
    if (server != NULL || keytab->ops->start_seq_get == NULL) {
        retval = krb5_kt_get_entry(context, keytab,
                                   server != NULL ? server : req->ticket->server,
                                   req->ticket->enc_part.kvno,
                                   req->ticket->enc_part.enctype, &ktent);

Note that the name from the ticket is only used if server is null.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home	help	back	first	fref	pref	prev	next	nref	lref	last	post