Skip Menu |
 

Subject: GSSAPI constrained delegation fails with default initiator cred
An application performs GSSAPI constrained delegation by acquiring a
GSS_C_BOTH credential, using it as the acceptor_cred_handle for
gss_accept_sec_context, then using the resulting delegated_cred_handle
with gss_init_sec_context.

This process works if the acceptor credential has resolved its ccache
(which results if the credential was acquired with a specified name, for
instance). But if that hasn't happened yet, kg_compose_deleg_cred()
rejects the acceptor credential as an impersonator_cred because
kg_is_initiator_cred() returns false.

Something in the code path needs to resolve the initiator half of the
verifier cred. The simplest fix is to make kg_accept_krb5() use
kg_cred_resolve() instead of krb5_gss_validate_cred(). That fix would
cause ccache resolution to happen in cases where it isn't required (the
caller might not have asked for a delegated credential, or the client
might not have supplied a forwardable ticket), but that's probably okay.
From: ghudson@mit.edu
Subject: SVN Commit

Resolve verifier cred in accept_sec_context

If the verifier cred handle is of type GSS_C_BOTH, we need to resolve
the initiator part of it in order to create a s4u2proxy delegated
credential handle. (If it's of type GSS_C_ACCEPT, kg_resolve_cred
won't do anything beyond locking and validating the credential.)

https://github.com/krb5/krb5/commit/dca7a82f793178c4a51bdd40a173748c3eb2c2a5
Author: Greg Hudson <ghudson@mit.edu>
Commit: dca7a82f793178c4a51bdd40a173748c3eb2c2a5
Branch: master
src/lib/gssapi/krb5/accept_sec_context.c | 5 ++-
src/tests/gssapi/t_s4u.py | 6 ++--
src/tests/gssapi/t_s4u2proxy_krb5.c | 33 ++++++++++++++---------------
3 files changed, 22 insertions(+), 22 deletions(-)