[17262] in Kerberos_V5_Development
Re: Adding new principal attributes?
daemon@ATHENA.MIT.EDU (Luke Howard)
Thu Oct 6 02:23:55 2011
Mime-Version: 1.0 (Apple Message framework v1244.3)
From: Luke Howard <lukeh@padl.com>
In-Reply-To: <CAK3OfOhn+GgpSR-dSW7KqN60iRnHp3+SZGaAYgzHar4Qpz1m8w@mail.gmail.com>
Date: Thu, 6 Oct 2011 17:23:45 +1100
Message-Id: <F0FD9A7F-DADB-4E41-8F07-624D37DC3FAF@padl.com>
To: Nico Williams <nico@cryptonector.com>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 06/10/2011, at 5:15 PM, Nico Williams wrote:
> I have a need for a principal attribute that indicates that the given
> principal cannot handle large tickets, which should then cause the TGS
> to strip out large non-critical authorization-data (e.g., the PAC).
You could use KRB5_KDB_NO_AUTH_DATA_REQUIRED. See handle_kdb_authdata:
/*
* Check whether KDC issued authorization data should be included.
* A server can explicitly disable the inclusion of authorization
* data by setting the KRB5_KDB_NO_AUTH_DATA_REQUIRED flag on its
* principal entry. Otherwise authorization data will be included
* if it was present in the TGT, the client is from another realm
* or protocol transition/constrained delegation was used, or, in
* the AS-REQ case, if the pre-auth data indicated the PAC should
* be present.
*/
if (tgs_req) {
assert(enc_tkt_request != NULL);
if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED))
return 0;
if (enc_tkt_request->authorization_data == NULL &&
!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U))
return 0;
assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime);
} else {
if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC))
return 0;
}
-- Luke
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
