Ticket History #6473: strip ok-as-delegate if not in cross-realm TGT chain

# Tue Apr 21 14:54:32 2009 tlyu (Taylor Yu) - Ticket created

Subject:

strip ok-as-delegate if not in cross-realm TGT chain

Download (untitled) / with headers
text/plain 249B

The existing implementation of GSS_C_DELEG_POLICY_FLAG does not examine cross-realm
tickets leading to the service ticket. Implement Heimdal's solution of stripping ok-as-delegate
flags inside get_creds if an intervening cross-realm TGT lacks it.

# Tue Apr 21 14:54:33 2009 tlyu (Taylor Yu) - Ticket 6473 RefersTo ticket 6203.

# Tue Apr 21 15:34:09 2009 hartmans (Sam Hartman) - Correspondence added

To:	rt@krbdev.mit.edu
Subject:	Re: [krbdev.mit.edu #6473] strip ok-as-delegate if not in cross-realm TGT chain
From:	Sam Hartman <hartmans@mit.edu>
Date:	Tue, 21 Apr 2009 15:34:07 -0400
RT-Send-Cc:

Download (untitled) / with headers
text/plain 414B

Show quoted text

>>>>> "Tom" == Tom Yu via RT <rt-comment@krbdev.mit.edu> writes:

Show quoted text

Tom> The existing implementation of GSS_C_DELEG_POLICY_FLAG does
Tom> not examine cross-realm tickets leading to the service
Tom> ticket. Implement Heimdal's solution of stripping
Tom> ok-as-delegate flags inside get_creds if an intervening
Tom> cross-realm TGT lacks it.

I think this is definitely a good long-term solution.

# Thu Apr 23 02:19:41 2009 ghudson@mit.edu (Greg Hudson) - Taken

# Thu Apr 23 02:24:54 2009 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 523B

A snag: our KDC never returns ok-as-delegate on a cross-realm TGT.
Luke's code in do_tgs_req.c does:

is_referral = krb5_is_tgs_principal(server.princ) &&
!krb5_principal_compare(kdc_context, tgs_server, server.princ);
[,..]
if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE) &&
!is_referral) {
/* Ensure that we are not returning a referral */
setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
}

I'll ask Luke why he thought that check was appropriate, I guess.

# Thu Apr 23 04:42:41 2009 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Thu Apr 23 04:42:41 2009 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Thu Apr 23 04:42:41 2009 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 317B

In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from
credentials obtained using a foreign TGT, unless the TGT also has
ok-as-delegate set.

https://github.com/krb5/krb5/commit/12f5bc018cfbe01a7f4f761f5260287d5b3f5e8c
Commit By: ghudson
Revision: 22272
Changed Files:
U trunk/src/lib/krb5/krb/gc_via_tkt.c

# Mon May 11 16:55:20 2009 tlyu (Taylor Yu) - Version_Fixed 1.7 added

# Mon May 11 16:55:20 2009 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 593B

pull up r22272 from trunk

------------------------------------------------------------------------
r22272 | ghudson | 2009-04-23 04:42:40 -0400 (Thu, 23 Apr 2009) | 7 lines
Changed paths:
M /trunk/src/lib/krb5/krb/gc_via_tkt.c

ticket: 6473
tags: pullup

In krb5_get_cred_via_tkt, strip the ok-as-delegate flag from
credentials obtained using a foreign TGT, unless the TGT also has
ok-as-delegate set.

https://github.com/krb5/krb5/commit/07f92976ad159438ad521b7f29146a69d17c85be
Commit By: tlyu
Revision: 22327
Changed Files:
U branches/krb5-1-7/src/lib/krb5/krb/gc_via_tkt.c

# Wed Dec 16 18:02:53 2015 tlyu (Taylor Yu) - CustomField pullup deleted

# Sun Sep 24 20:39:54 2017 ghudson@mit.edu (Greg Hudson) - Status changed from 'review' to 'resolved'