[19814] in Kerberos_V5_Development
Re: kdc: cross realm s4u2self handling
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 18 17:28:04 2018
To: Isaac Boukris <iboukris@gmail.com>, krbdev@mit.edu
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <48ef131f-8d71-5de2-2b93-37902c4e6baa@mit.edu>
Date: Tue, 18 Sep 2018 17:27:40 -0400
MIME-Version: 1.0
In-Reply-To: <CAC-fF8TJHx9EtOECkMo9uenyFDXJCVgOw5w7+-KVu3H-TKK65g@mail.gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On 09/18/2018 12:12 PM, Isaac Boukris wrote:
> I'd like to start with the last commit in the MIT patch, which
> partially reverts 8a9909ff9ef6b51c5ed09ead6713888fbb34072f commit,
> that I don't fully understand.
That was part of a series of commits made between 1.11 and 1.12, with
the goal of treating the client request as an immutable object (commit
9e37d01a0122904776fada43ec65425c375414d8). Prior to those commits,
process_tgs_req() would set the request server to the result of the
server search, which could be a referral. For the commit you are trying
to understand, there were two checks against request->server that I was
concerned with:
* In kdc_util.c:kdc_process_s4u2self_req(), we compare request->server
against the client principal in the header ticket and error out if it
doesn't match.
* In tgs_policy.c:check_tgs_nontgt(), we compare the header ticket
server against the request server and error out if it doesn't match.
I wanted to make sure that leaving request->server alone would not allow
requests through which would previously have been disallowed. I was
only considering within-realm S4U2Self requests, but I believe that in
the 1.11 code, the check in kdc_process_s4u2self_req() would have
prevented cross-realm S4U2Self requests from succeeding. It no longer
interferes bequest request->server is now the original request server.
I may have unwittingly been preserving a bug rather than an intentional
restriction, so we can probably relax it.
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev