[38965] in Kerberos
Re: Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Isaac Boukris)
Wed Jul 28 07:09:27 2021
MIME-Version: 1.0
In-Reply-To: <CAMeQEL_f7M0AiQoK3feZCFKPytZ93tMX6L7-KvupXr=8yVcEEA@mail.gmail.com>
From: Isaac Boukris <iboukris@gmail.com>
Date: Wed, 28 Jul 2021 14:06:00 +0300
Message-ID: <CAC-fF8QB4sE=1yAZDySViW5EZkV7b77F5yO08DhWw2c4jdPh7A@mail.gmail.com>
To: Vipul Mehta <vipulmehta.1989@gmail.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1989@gmail.com> wrote:
>
> Now we know that behavior is unified and S4U2Self ticket should be forwardable to avoid vulnerability, i think we can add a check in MIT Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if ticket is not forwardable it will fail in client itself.
>
> I can see that JDK has this check:
> https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java -> line 105
MIT used to have that as well before RBCD was added, although I don't
think this was ever necessary, as that check should be done in the
KDC. Also disabling NonForwardableDelegation can be a valid usage when
relying on SIDs and not using protected-group, as in the original RBCD
design:
https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
