Constrained delegation cross realm

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Constrained delegation cross realm

Peter Mogensen
Hi,

Currently cross-realm S4U2proxy is explicitly disabled in
handle_signedpath_authdata().

For some use cases it could be useful to do this however. Unfortunately
the decision to enable it in cases where the security implications are
understood is not just a small patch to the code... it actually affects
the on-the-wire protocol. More specifically: How is signing of
AD-SIGNEDPATH done and with which key.

I found this old discussion:
http://kerberos.996246.n3.nabble.com/AD-SIGNEDPATH-and-cross-realm-td27623.html 


Are there any news on this issue?
Like Loves suggestion to checksum the AD-SIGNEDPATH with the target
realm cross-realm key when issuing cross-ream TGTs?

/Peter

PS: Also ... if anyone has pointers to the intention of the
"method_data" field of KRB5SignedPath. Is it just an unspecified
typed-hole for applications to put stuff into or was there a specific
use case behind the design?


_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev