Skip Menu |

Subject: krb5_init_creds_step() can make synchronous TGS requests for FAST armor TGTs
Date: Thu, 17 Dec 2020 00:27:37 -0500
get_in_tkt.c calls krb5int_fast_as_armor(), which calls fast_armor_ap_request() if the DO_FAST flag is set.  To get the armor TGT, fast_armor_ap_request() calls krb5_get_credentials() with no special flags.  Under ordinary circumstances, this just fetches the client-realm TGT from the cache.  However, after a realm referral, krb5_get_credentials() may be asked to retrieve a TGT for another realm, in which case it will make TGS requests.

This behavior is intentional, but it does not honor the stepwise contract of krb5_init_creds_step() (which was implemented later than the FAST code).  Instead of using the sequential API, we should create a TGS state machine to be referenced from the AS step machine, and step through it until it is complete.