[20084] in Kerberos_V5_Development
Re: authentication indicators and S4U2Self
daemon@ATHENA.MIT.EDU (Alexander Bokovoy)
Thu May 7 02:36:52 2020
Date: Thu, 7 May 2020 09:36:33 +0300
From: Alexander Bokovoy <abokovoy@redhat.com>
To: Greg Hudson <ghudson@mit.edu>
Message-ID: <20200507063633.GM5611@redhat.com>
MIME-Version: 1.0
In-Reply-To: <dd7700d9-40cd-b56c-7584-6a65d758f98b@mit.edu>
Content-Disposition: inline
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
On ke, 06 touko 2020, Greg Hudson wrote:
>On 5/6/20 2:20 PM, Alexander Bokovoy wrote:
>> Together with Isaac we were looking into cross-realm S4U2Self
>> implementation in FreeIPA and I noticed that MIT Kerberos does not allow
>> to issue S4U2Self service ticket to a service protected with
>> an authentication indicator.
>
>I think we can just omit the indicator check for S4U2Self requests.
>Restricting how strong the initial ticket acquisition must have been to
>access a service has nothing to do with the service fetching tickets for
>itself.
Fair enough. As for the indicator for S4U2Self, we can add something
like that in sign_authdata callback in FreeIPA now that 1.18 allows to
modify authentication indicators at that point.
I reviewed https://github.com/krb5/krb5/pull/1067 and it looks good to
me. Thank you!
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
