Ticket History #6203: DELEG_POLICY

# Mon Oct 20 17:14:50 2008 tlyu (Taylor Yu) - Ticket created

Subject:

DELEG_POLICY_FLAG for GSS

Download (untitled) / with headers
text/plain 145B

Proposed GSS-API extension requesting to delegate credentials only
according to KDC policy, i.e., OK-AS-DELEGATE set. Patch from Apple
attached.

Download LHA-6132218-deleg-policy-flag.patch
application/octet-stream 1.5KiB

Message body not shown because it is not plain text.

# Mon Oct 20 17:17:02 2008 tlyu (Taylor Yu) - Cc lha (Love Hornquist Astrand) added

# Tue Apr 07 15:48:13 2009 tlyu (Taylor Yu) - Given to ghudson@mit.edu (Greg Hudson)

# Wed Apr 08 12:09:33 2009 ghudson@mit.edu (Greg Hudson) - Comments added

Download (untitled) / with headers
text/plain 124B

A good description of the meaning of this flag is at:

http://www.h5l.org/blog/index.php/2008/10/ok-as-delegate-and-gss-api/

# Wed Apr 08 12:39:34 2009 ghudson@mit.edu (Greg Hudson) - Target_Version 1.7 added

# Wed Apr 08 12:39:34 2009 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Wed Apr 08 12:39:34 2009 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Wed Apr 08 12:39:34 2009 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 363B

Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
which requests delegation only if the ok-as-delegate ticket flag is
set.

https://github.com/krb5/krb5/commit/45875a4d7bbd6bb8a943572d84fef5ca2bb18291
Commit By: ghudson
Revision: 22185
Changed Files:
U trunk/src/lib/gssapi/generic/gssapi.hin
U trunk/src/lib/gssapi/krb5/init_sec_context.c

# Wed Apr 15 16:07:49 2009 tlyu (Taylor Yu) - Version_Fixed 1.7 added

# Wed Apr 15 16:07:49 2009 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 728B

pull up r22185 from trunk

------------------------------------------------------------------------
r22185 | ghudson | 2009-04-08 12:39:33 -0400 (Wed, 08 Apr 2009) | 8 lines
Changed paths:
M /trunk/src/lib/gssapi/generic/gssapi.hin
M /trunk/src/lib/gssapi/krb5/init_sec_context.c

ticket: 6203
tags: pullup
target_version: 1.7

Using a patch from Apple, add support for GSS_C_DELEG_POLICY_FLAG,
which requests delegation only if the ok-as-delegate ticket flag is
set.

https://github.com/krb5/krb5/commit/3ce5ddc67c2209f9e4a8bb694fd3eb45d8208350
Commit By: tlyu
Revision: 22255
Changed Files:
U branches/krb5-1-7/src/lib/gssapi/generic/gssapi.hin
U branches/krb5-1-7/src/lib/gssapi/krb5/init_sec_context.c

# Tue Apr 21 17:41:03 2009 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 301B

Love, do you have code to implement the cross-realm part of this change
in MIT krb5? (Corresponding to r23846 in Heimdal which strips
ok-as-delegate from cross-realm tickets if the TGT ticket didn't have it.)

If not I will do it myself this week; I just want to make sure I'm not
duplicating effort.

# Tue Apr 21 17:41:38 2009 ghudson@mit.edu (Greg Hudson) - Status changed from 'review' to 'open'

# Tue Apr 21 18:04:02 2009 tlyu (Taylor Yu) - Correspondence added

To:	rt@krbdev.MIT.EDU
Subject:	Re: [krbdev.mit.edu #6203] DELEG_POLICY_FLAG for GSS
From:	Tom Yu <tlyu@MIT.EDU>
Date:	Tue, 21 Apr 2009 18:03:59 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 448B

"Greg Hudson via RT" <rt-comment@krbdev.mit.edu> writes:

Show quoted text

> Love, do you have code to implement the cross-realm part of this change
> in MIT krb5? (Corresponding to r23846 in Heimdal which strips
> ok-as-delegate from cross-realm tickets if the TGT ticket didn't have it.)
>
> If not I will do it myself this week; I just want to make sure I'm not
> duplicating effort.

I opened RT ticket #6473 for tracking the cross-realm ok-as-delegate
issue.

# Tue Apr 21 18:06:29 2009 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'review'

# Tue Apr 21 22:25:13 2009 lha (Love Hornquist Astrand) - Correspondence added

Download (untitled) / with headers
text/plain 134B

Show quoted text

> Love, do you have code to implement the cross-realm part of this change
> in MIT krb5?

I have no code for MIT Kerberos to do that.

# Wed Dec 16 18:02:52 2015 tlyu (Taylor Yu) - CustomField pullup deleted

# Sun Sep 24 20:39:52 2017 ghudson@mit.edu (Greg Hudson) - Status changed from 'review' to 'resolved'

Ticket History #6203: DELEG_POLICY_FLAG for GSS