To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #6337] kadmin should force non-forwardable tickets
In-Reply-To: <rt-6337-29953.6.18971404728264@krbdev.mit.edu> (Russ Allbery's message of "Tue\, 13 Jan 2009 20\:38\:00 +0000 \(UTC\)")
User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)
References: <rt-6337-29953.6.18971404728264@krbdev.mit.edu>
From: Russ Allbery <rra@stanford.edu>
Organization: The Eyrie
Date: Tue, 13 Jan 2009 12:46:53 -0800
Message-ID: <8763kj6iiq.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
RT-Send-Cc: 
Content-Length: 1336

"Russ Allbery <rra@stanford.edu> via RT" <rt-comment@krbdev.mit.edu>
writes:

> In kadm5_gic_iter() when authenticating with a password, the client
> library sets up krb5_get_init_creds_opt structure but doesn't set any
> parameters in it.  Since the acquired credentials are going into a
> memory cache specific to that client invocation, forwardable tickets are
> pointless.  I think the kadmin client library should therefore force the
> forwardable option (and probably the proxiable option and renewable
> time) to false.

Here's a patch.  Let me know if this looks good and I'll check it in.

Index: client_init.c
===================================================================
--- src/lib/kadm5/clnt/client_init.c	(revision 21740)
+++ src/lib/kadm5/clnt/client_init.c	(working copy)
@@ -541,8 +541,12 @@
 	     goto error;
      }
 
-     if (init_type != INIT_CREDS)
+     /* Credentials for kadmin don't need to be forwardable or proxiable. */
+     if (init_type != INIT_CREDS) {
 	  krb5_get_init_creds_opt_init(&opt);
+	  krb5_get_init_creds_opt_set_forwardable(&opt, 0);
+	  krb5_get_init_creds_opt_set_proxiable(&opt, 0);
+     }
 
      if (init_type == INIT_PASS) {
 	  code = krb5_get_init_creds_password(ctx, &outcreds, client, pass,

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>