Skip Menu |
 

From: Toby Blake <toby@inf.ed.ac.uk>
Subject: ksu doesn't allow acquisition of non-forwardable tickets
Date: Fri, 9 Nov 2018 16:22:42 +0000
To: krb5-bugs@mit.edu
Hi,

If a principal has the DISALLOW_FORWARDABLE attribute in the KDC, but
/etc/krb5.conf has forwardable = true, then it is impossible to obtain
a ticket using ksu ("KDC policy rejects request while getting initial
credentials").

Would you be interested in a patch to implement a -F option (in the same
way as kinit) to explicitly request a non-forwardable ticket?

Cheers
Toby Blake
School of Informatics
University of Edinburgh


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
A ksu -F option seems reasonable, since it already has a -f option.
Adding a -P option at the same time for symmetry seems appropriate,
although I don't think proxiable tickets are used with any frequency.

Ticket 7871 would also address this problem on the KDC side. (But the
client changes are still valuable due to existing KDCs and other KDC
implementations.)
From: Toby Blake <toby@inf.ed.ac.uk>
Subject: Re: [krbdev.mit.edu #8761] ksu doesn't allow acquisition of non-forwardable tickets
Date: Wed, 14 Nov 2018 14:58:00 +0000
To: rt-comment@krbdev-prod-app-1.mit.edu
RT-Send-Cc:
Show quoted text
> On 13 Nov 2018, at 16:57, Greg Hudson via RT <rt-comment@krbdev-prod-app-1.mit.edu> wrote:
>
> A ksu -F option seems reasonable, since it already has a -f option.
> Adding a -P option at the same time for symmetry seems appropriate,
> although I don't think proxiable tickets are used with any frequency.
>
> Ticket 7871 would also address this problem on the KDC side. (But the
> client changes are still valuable due to existing KDCs and other KDC
> implementations.)

Thanks Greg.

A KDC side option would be preferred by us, as it's a lot easier to patch
the KDCs than all the clients, but as you say, fixing ksu in this way
would also be desirable.

Cheers
Toby


--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
From: ghudson@mit.edu
Subject: git commit

Add ksu option for non-forwardable tickets

Add ksu -F and -P options to explicitly not request forwardable and
proxiable tickets.

https://github.com/krb5/krb5/commit/0e4932982665c69cc4417eb7dbf0eda87fe5bd3e
Author: Greg Hudson <ghudson@mit.edu>
Commit: 0e4932982665c69cc4417eb7dbf0eda87fe5bd3e
Branch: master
doc/user/user_commands/ksu.rst | 15 +++++++++++++--
src/clients/ksu/main.c | 11 +++++++++--
2 files changed, 22 insertions(+), 4 deletions(-)