[38968] in Kerberos
Re: Query regarding S4U2Self protocol extension
daemon@ATHENA.MIT.EDU (Vipul Mehta)
Thu Jul 29 11:27:28 2021
MIME-Version: 1.0
In-Reply-To: <CAC-fF8QB4sE=1yAZDySViW5EZkV7b77F5yO08DhWw2c4jdPh7A@mail.gmail.com>
From: Vipul Mehta <vipulmehta.1989@gmail.com>
Date: Thu, 29 Jul 2021 14:20:46 +0530
Message-ID: <CAMeQEL9PsKHvPBYb7mZBqRQxScwd8YNVBudYNCjcus8ibd66xg@mail.gmail.com>
To: Isaac Boukris <iboukris@gmail.com>
Cc: kerberos <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thank you.
This was a useful discussion for me.
On Wed, Jul 28, 2021 at 4:36 PM Isaac Boukris <iboukris@gmail.com> wrote:
> On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1989@gmail.com>
> wrote:
> >
> > Now we know that behavior is unified and S4U2Self ticket should be
> forwardable to avoid vulnerability, i think we can add a check in MIT
> Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if
> ticket is not forwardable it will fail in client itself.
> >
> > I can see that JDK has this check:
> >
> https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java
> -> line 105
>
> MIT used to have that as well before RBCD was added, although I don't
> think this was ever necessary, as that check should be done in the
> KDC. Also disabling NonForwardableDelegation can be a valid usage when
> relying on SIDs and not using protected-group, as in the original RBCD
> design:
>
>
> https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md
>
--
Regards,
Vipul
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
