[38967] in Kerberos
Re: Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Vipul Mehta)
Wed Jul 28 12:16:15 2021
MIME-Version: 1.0
In-Reply-To: <CAC-fF8RhhW2hUm28K4fXMbp-y4_ykkeZQyQFJvQn+AZa__zrBQ@mail.gmail.com>
From: Vipul Mehta <vipulmehta.1989@gmail.com>
Date: Wed, 28 Jul 2021 16:16:04 +0530
Message-ID: <CAMeQEL_f7M0AiQoK3feZCFKPytZ93tMX6L7-KvupXr=8yVcEEA@mail.gmail.com>
To: Isaac Boukris <iboukris@gmail.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Now we know that behavior is unified and S4U2Self ticket should be
forwardable to avoid vulnerability, i think we can add a check in MIT
Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
ticket is not forwardable it will fail in client itself.
I can see that JDK has this check:
https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java
-> line 105
On Wed, Jul 28, 2021 at 2:08 PM Isaac Boukris <iboukris@gmail.com> wrote:
> On Wed, Jul 28, 2021 at 11:10 AM Vipul Mehta <vipulmehta.1989@gmail.com>
> wrote:
> >
> > I have windows server 2012 R2 with all the security updates installed
> and did some tests:
> >
> > Resource Based Constrained Delegation configured for Service A in
> Service B account.
> >
> > Case 1) Service A : trustedToAuthForDelegation = false and non-empty
> msds-AllowedToDelegateTo -> S42U2Self ticket didn't have a forwardable flag
> and subsequent S4U2Proxy failed.
>
> That's expected because the default of 'NonForwardableDelegation' is
> enabled I think, so RBCD requires forwardable flag now, if you set
> NonForwardableDelegation to disabled (that is to 1 ..), then RBCD
> S4U2Proxy will continue to work as before the update.
>
--
Regards,
Vipul
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
