Constrained delegation cross realm

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Constrained delegation cross realm

Peter Mogensen

Currently cross-realm S4U2proxy is explicitly disabled in

For some use cases it could be useful to do this however. Unfortunately
the decision to enable it in cases where the security implications are
understood is not just a small patch to the code... it actually affects
the on-the-wire protocol. More specifically: How is signing of
AD-SIGNEDPATH done and with which key.

I found this old discussion: 

Are there any news on this issue?
Like Loves suggestion to checksum the AD-SIGNEDPATH with the target
realm cross-realm key when issuing cross-ream TGTs?


PS: Also ... if anyone has pointers to the intention of the
"method_data" field of KRB5SignedPath. Is it just an unspecified
typed-hole for applications to put stuff into or was there a specific
use case behind the design?

krbdev mailing list             [hidden email]