Skip Menu |
 

krb5_get_cred_via_tkt() explicitly checks that the requested server
principal name is identical to the returned server principal name. This
prevents the cross-realm KDC referral logic in get_cred_from_kdc() from
working. There should be a way to relax this check, perhaps
substituting a check that the cleartext and encrypted server principal
names are identical.
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #3322]
From: Tom Yu <tlyu@MIT.EDU>
Date: Tue, 28 Nov 2006 20:00:40 -0500
RT-Send-Cc:
Following the referrals merge, gc_via_tkt is still a bit too strict
about server principal checks. In the non-canonicalization case, it
should allow the server principal to differ from the requested server
if both are TGS principals and the requested principal has a second
component which is not the client's local realm.
From: tlyu@mit.edu
Subject: SVN Commit
* src/lib/krb5/krb/gc_via_tkt.c (check_reply_server): New function
to check server principal in reply. Ensures that the reply is
self-consistent, allows rewrites if canonicalization is requested,
and allows limited rewrites of TGS principals if canonicalization
is not requested.
(krb5_get_cred_via_tkt): Move server principal checks into
check_reply_server().

Commit By: tlyu



Revision: 18879
Changed Files:
U trunk/src/lib/krb5/krb/gc_via_tkt.c
From: tlyu@mit.edu
Subject: SVN Commit
pull up r18879 from trunk

r18879@cathode-dark-space: tlyu | 2006-11-30 15:50:02 -0500
ticket: 3322
target_version: 1.6
tags: pullup

* src/lib/krb5/krb/gc_via_tkt.c (check_reply_server): New function
to check server principal in reply. Ensures that the reply is
self-consistent, allows rewrites if canonicalization is requested,
and allows limited rewrites of TGS principals if canonicalization
is not requested.
(krb5_get_cred_via_tkt): Move server principal checks into
check_reply_server().



Commit By: tlyu



Revision: 18881
Changed Files:
_U branches/krb5-1-6/
U branches/krb5-1-6/src/lib/krb5/krb/gc_via_tkt.c