RT/krbdev.mit.edu: Ticket #3322 get_cred_via_tkt() checks too strict on server principal

RT/krbdev.mit.edu: Ticket #3322 get_cred_via_tkt() checks too strict on server principal

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Next >] [Last >>]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
3322

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component	krb5-libs
Version_reported	1.4.4
Version_Fixed	1.6
Target_Version	1.6
Tags	pullup

Relationships

Depends on:

Depended on by:

1204: (tlyu) Unable to get a TGT cross-realm referral [resolved]
2652: (amb) Add support for referrals [resolved]

Parents:

Children:

Refers to:

Referred to by:

Dates

Created:	Tue Jan 3 16:28:59 2006
Starts:	Not set
Started:	Not set
Last Contact:	Not set
Due:	Not set
Updated:	Thu Nov 30 16:14:51 2006 by tlyu

People

Owner
amb
Requestors
tlyu@mit.edu
Cc

AdminCc

More about Tom Yu

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

6204: meta-ticket for tracking Apple patches (open)
1149: KDC client lockout for DISALLOW_ALL_TIX or expiration (new)
1247: rpc unit tests need real synchronization (open)
1348: sketchy uses of longjmp in util/ss/listen.c (new)
1479: kdc.conf should allow KDC directory re-homing (new)
1685: consider calling remove_error_table() in krb5_free_context() (new)
2644: fakeka.c should use life_to_time/time_to_life (new)
2934: document shared lib build requirements (new)
2937: GSSAPI authorization data export (open)
2938: support 64-bit Windows (open)
3775: krb5_gss_accept_sec_context should handle inconsistent mutual auth requests (open)
4740: cccursor backend for MSLSA (new)
5531: SPNEGO acc_ctx_call_acc should only call gssint_get_mech_type for 1st token (new)
5627: handle off-path TGT referrals in krb5_get_cred_from_kdc() [rdar 3679887] (open)
6034: rework gic_opt_ext to be more portable (open)
6205: IP_RECVDSTADDR support for kpasswd server (open)
6212: Apple patch for Common Crypto (new)
6213: Apple patch to use pidfile (FreeBSD) for daemons (new)
6228: Apple patch: KDC notify password server (new)
6229: Apple-specific manpage pathname fixes (new)
6230: Apple Seatbelt support for kadmind and KDC (new)
6232: Apple manpage fix to delete reference to Kerberos.app (new)
6233: Apple patch to instal newsyslog config (new)
6234: Apple config file support for password server (new)
6235: install target for KerberosLite (new)

History

Display mode: [Brief headers] [Full headers]

Tue Jan 3 16:29:00 2006	tlyu - Ticket created
krb5_get_cred_via_tkt() explicitly checks that the requested server principal name is identical to the returned server principal name. This prevents the cross-realm KDC referral logic in get_cred_from_kdc() from working. There should be a way to relax this check, perhaps substituting a check that the cleartext and encrypted server principal names are identical.		Download (untitled) 365b
Tue Jan 3 16:38:47 2006	tlyu - Subject changed from to get_cred_via_tkt() checks too strict on server principal
Tue Jan 10 17:08:53 2006	tlyu - Given to amb
Tue Nov 28 20:00:44 2006	tlyu - Correspondence added
To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #3322] From: Tom Yu <tlyu@MIT.EDU> Date: Tue, 28 Nov 2006 20:00:40 -0500 RT-Send-Cc: Following the referrals merge, gc_via_tkt is still a bit too strict about server principal checks. In the non-canonicalization case, it should allow the server principal to differ from the requested server if both are TGS principals and the requested principal has a second component which is not the client's local realm.		Download (untitled) 324b
Thu Nov 30 15:50:21 2006	tlyu - Status changed from open to resolved
Thu Nov 30 15:50:22 2006	tlyu - Tags pullup added
Thu Nov 30 15:50:23 2006	tlyu - Target_Version 1.6 added
Thu Nov 30 15:50:23 2006	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit * src/lib/krb5/krb/gc_via_tkt.c (check_reply_server): New function to check server principal in reply. Ensures that the reply is self-consistent, allows rewrites if canonicalization is requested, and allows limited rewrites of TGS principals if canonicalization is not requested. (krb5_get_cred_via_tkt): Move server principal checks into check_reply_server(). Commit By: tlyu Revision: 18879 Changed Files: U trunk/src/lib/krb5/krb/gc_via_tkt.c		Download (untitled) 460b
Thu Nov 30 16:14:48 2006	tlyu - Version_Fixed 1.6 added
Thu Nov 30 16:14:48 2006	tlyu - Correspondence added
From: tlyu@mit.edu Subject: SVN Commit pull up r18879 from trunk r18879@cathode-dark-space: tlyu \| 2006-11-30 15:50:02 -0500 ticket: 3322 target_version: 1.6 tags: pullup * src/lib/krb5/krb/gc_via_tkt.c (check_reply_server): New function to check server principal in reply. Ensures that the reply is self-consistent, allows rewrites if canonicalization is requested, and allows limited rewrites of TGS principals if canonicalization is not requested. (krb5_get_cred_via_tkt): Move server principal checks into check_reply_server(). Commit By: tlyu Revision: 18881 Changed Files: _U branches/krb5-1-6/ U branches/krb5-1-6/src/lib/krb5/krb/gc_via_tkt.c		Download (untitled) 645b