Ticket History #8718: krb5_get_credentials incorrectly matches user to user ticket

# Wed Aug 01 09:59:44 2018 Todd Lubin <tlubin@janestreet.com> - Ticket created

From:	Todd Lubin <tlubin@janestreet.com>
Date:	Wed, 1 Aug 2018 09:17:51 -0400
Subject:	krb5_get_credentials incorrectly matches user to user ticket
To:	krb5-bugs@mit.edu

Download (untitled) / with headers
text/plain 511B

Download (untitled) / with headers
text/html 1.1KiB

It seems like there is no way to instruct krb5_get_credentials not to use a cached user-to-user ticket for a particular service principal.

When you pass in KRB5_GC_USER_USER, there is care taken to ensure only a user-to-user ticket is selected. However, the lack of that flag doesn't prevent a user-to-user ticket from being selected from the cache.

It seems like either:

1) the lack of KRB5_GC_USER_USER should only match standard tickets

2) there should be some other flag introduced to express this desire

# Fri Aug 03 10:37:40 2018 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'open'

# Fri Aug 03 10:37:40 2018 ghudson@mit.edu (Greg Hudson) - Correspondence added

Download (untitled) / with headers
text/plain 799B

I am inclined towards option 1, because a user-to-user credential is
not useful if you are looking for a regular ticket.

However, it seems that we also tag constrained delegation (S4U2Proxy)
results with the is_skey flag, because kdcrep2creds() just checks
whether there was a second ticket in the request to set that flag.
So if we always apply the is_skey field match, we break caching of
S4U2Proxy results, causing a test failure (t_s4u.py runs t_s4u, which
fails in check_ticket_count()).

I think setting the is_skey field for S4U2Proxy results is a bug,
since the is_skey field is documented as "true if the ticket is
encrypted in another ticket's skey", and tickets resulting from
S4U2Proxy are encrypted in the service's long-term key. So I will
look into fixing that bug first.

# Mon Aug 27 18:19:32 2018 ghudson@mit.edu (Greg Hudson) - Given to ghudson@mit.edu (Greg Hudson)

# Mon Aug 27 18:19:32 2018 ghudson@mit.edu (Greg Hudson) - Status changed from 'open' to 'resolved'

# Mon Aug 27 18:19:32 2018 ghudson@mit.edu (Greg Hudson) - Correspondence added

From:	ghudson@mit.edu
Subject:	git commit

Download (untitled) / with headers
text/plain 609B

Limit matching of user-to-user ccache credentials

In krb5int_cc_creds_match_request(), do not yield a user-to-user
credential if the caller is not looking for one; it would not be
useful when a normal service ticket (encrypted in the service key) is
required. Reported by Todd Lubin.

https://github.com/krb5/krb5/commit/77ee8336c3f4d39d12146d8a631f9abd595d4cbb
Author: Greg Hudson <ghudson@mit.edu>
Commit: 77ee8336c3f4d39d12146d8a631f9abd595d4cbb
Branch: master
src/lib/krb5/ccache/cc_retr.c | 5 +++++
src/tests/t_u2u.py | 8 ++++++++
2 files changed, 13 insertions(+), 0 deletions(-)

# Mon Aug 27 18:29:53 2018 ghudson@mit.edu (Greg Hudson) - Ticket 8718 RefersTo ticket 8721.

# Sat Oct 27 11:45:52 2018 ghudson@mit.edu (Greg Hudson) - Version_Fixed 1.17 added