| |
|
Tue Jan 13 15:38:00 2009 |
rra - Ticket created
|
|
|
| |
|
Subject: kadmin should force non-forwardable tickets
We make forwardable tickets the default in the [libdefaults] section of
our krb5.conf file, but we disable forwardable tickets for privileged
principals (*/root, */admin). Authenticating to kadmin with a password
as a privileged account therefore fails on systems with our default
krb5.conf file.
In kadm5_gic_iter() when authenticating with a password, the client
library sets up krb5_get_init_creds_opt structure but doesn't set any
parameters in it. Since the acquired credentials are going into a
memory cache specific to that client invocation, forwardable tickets are
pointless. I think the kadmin client library should therefore force the
forwardable option (and probably the proxiable option and renewable
time) to false.
|
Download (untitled) 733b
|
| |
|
Tue Jan 13 15:46:55 2009 |
rra@stanford.edu - Correspondence added
|
|
|
| |
|
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6337] kadmin should force non-forwardable tickets
From: Russ Allbery <rra@stanford.edu>
Date: Tue, 13 Jan 2009 12:46:53 -0800
RT-Send-Cc:
"Russ Allbery <rra@stanford.edu> via RT" <rt-comment@krbdev.mit.edu>
writes:
> In kadm5_gic_iter() when authenticating with a password, the client
> library sets up krb5_get_init_creds_opt structure but doesn't set any
> parameters in it. Since the acquired credentials are going into a
> memory cache specific to that client invocation, forwardable tickets are
> pointless. I think the kadmin client library should therefore force the
> forwardable option (and probably the proxiable option and renewable
> time) to false.
Here's a patch. Let me know if this looks good and I'll check it in.
Index: client_init.c
===================================================================
--- src/lib/kadm5/clnt/client_init.c (revision 21740)
+++ src/lib/kadm5/clnt/client_init.c (working copy)
@@ -541,8 +541,12 @@
goto error;
}
- if (init_type != INIT_CREDS)
+ /* Credentials for kadmin don't need to be forwardable or proxiable. */
+ if (init_type != INIT_CREDS) {
krb5_get_init_creds_opt_init(&opt);
+ krb5_get_init_creds_opt_set_forwardable(&opt, 0);
+ krb5_get_init_creds_opt_set_proxiable(&opt, 0);
+ }
if (init_type == INIT_PASS) {
code = krb5_get_init_creds_password(ctx, &outcreds, client, pass,
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
|
Download (untitled) 1.3k
|
| |
|
Tue Jan 13 16:20:47 2009 |
raeburn - Correspondence added
|
|
|
| |
|
From: Ken Raeburn <raeburn@MIT.EDU>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6337] kadmin should force non-forwardable tickets
Date: Tue, 13 Jan 2009 16:20:44 -0500
RT-Send-Cc:
The patch looks good to me.
Ken
|
Download (untitled) 33b
|
| |
|
Tue Jan 13 19:29:07 2009 |
rra - Given to rra
|
|
|
| |
|
Tue Jan 13 19:29:07 2009 |
rra - Status changed from new to review
|
|
|
| |
|
Tue Jan 13 19:29:07 2009 |
rra - Correspondence added
|
|
|
| |
|
From: Russ Allbery <rra@stanford.edu>
Subject: SVN Commit
Force tickets acquired by the kadm5 client library via password
authentication to be non-forwardable and non-proxiable, overridding
any [libdefaults] configuration. This may be necessary at sites that
set forwardable to true by default in their krb5.conf files but
disable forwardable tickets for privileged principals. Since the
ticket cache acquired by the kadm5 client library is used only for
kadmin operations, where forwardable is not useful or necessary, there
is no reason to ever attempt to obtain forwardable or proxiable tickets
here.
http://src.mit.edu/fisheye/changelog/krb5/?cs=21744
Commit By: rra
Revision: 21744
Changed Files:
U trunk/src/lib/kadm5/clnt/client_init.c
|
Download (untitled) 692b
|
| |
|
Fri Jan 23 15:49:06 2009 |
tlyu - Status changed from review to resolved
|
|
|
| |
|
Fri Jan 30 23:08:21 2009 |
tlyu - Version_Fixed 1.7 added
|
|
|
