Skip Menu |
 

Download (untitled) / with headers
text/plain 2.9KiB
From kenh@cmf.nrl.navy.mil Tue Dec 10 14:02:05 1996
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id OAA09890 for <bugs@RT-11.MIT.EDU>; Tue, 10 Dec 1996 14:02:04 -0500
Received: from [134.207.10.161] by MIT.EDU with SMTP
id AA03635; Tue, 10 Dec 96 14:02:03 EST
Received: from elvis.cmf.nrl.navy.mil (kenh@elvis.cmf.nrl.navy.mil [134.207.10.38]) by ginger.cmf.nrl.navy.mil (8.7.5/8.7.3) with ESMTP id OAA05548 for <krb5-bugs@mit.edu>; Tue, 10 Dec 1996 14:02:02 -0500 (EST)
Received: (kenh@localhost) by elvis.cmf.nrl.navy.mil (8.6.12/8.6.11) id OAA00647; Tue, 10 Dec 1996 14:02:00 -0500
Message-Id: <199612101902.OAA00647@elvis.cmf.nrl.navy.mil>
Date: Tue, 10 Dec 1996 14:02:00 -0500
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Reply-To: kenh@cmf.nrl.navy.mil
To: krb5-bugs@MIT.EDU
Subject: fwd_tgt_creds fails when doing cross-realm
X-Send-Pr-Version: 3.2

Show quoted text
>Number: 290
>Category: krb5-libs
>Synopsis: krb5_fwd_tgt_creds fails when forwarding tickets to a machine in another realm
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Tue Dec 10 14:03:01 EST 1996
>Last-Modified: Wed Feb 12 17:45:21 EST 1997
>Originator: Ken Hornstein
>Organization:
Naval Research Lab
Show quoted text
>Release: 1.0-development
>Environment:

System: SunOS elvis 4.1.3_U1 13 sun4m
Architecture: sun4

Show quoted text
>Description:

(Forgive me if this was posted before).

When you use Kerberos telnet/rlogin to connect to a machine in a foreign
realm, krb5_fwd_tgt_creds tries to forward the following ticket:

krbtgt/LOCALREALM@FOREIGNREALM

This fails miserably, because for cross-cell, you're supposed to be using
krbtgt/FOREIGNREALM@LOCALREALM.

However, forwarding the cross-cell ticket doesn't seem to make sense at all,
because it seems to me you really want to forward the TGT from your realm
(since an authentication path may not exist in the reverse direction, but
since you're already authenticated to a machine in a local realm, then
there is already a valid authentication path). I think this code should
really be changed to use your regular TGT.

Show quoted text
>How-To-Repeat:

Try to forward a TGT to a machine in another realm.
Show quoted text
>Fix:

This makes fwd_tgt use the same name for both the realm and the instance of
the TGT.

--- lib/krb5/krb/fwd_tgt.c.orig Tue Dec 10 13:42:41 1996
+++ lib/krb5/krb/fwd_tgt.c Tue Dec 10 13:47:00 1996
@@ -77,8 +77,8 @@
goto errout;

if ((retval = krb5_build_principal_ext(context, &creds.server,
- server->realm.length,
- server->realm.data,
+ client->realm.length,
+ client->realm.data,
KRB5_TGS_NAME_SIZE,
KRB5_TGS_NAME,
client->realm.length,
Show quoted text
>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Wed Feb 12 17:44:48 1997
State-Changed-Why:

Dup of krb5-libs/206

Show quoted text
>Unformatted: