Re: heimdal 0.6.[34] ticket forwarding or GSSAPI delegation, tickets have wrong address

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: heimdal 0.6.[34] ticket forwarding or GSSAPI delegation, tickets have wrong address

Brandon S Allbery KF8NH-2
On Thu, 2005-05-19 at 18:52 +0200, Love Hörnquist Åstrand wrote:

> "Brandon S. Allbery KF8NH" <[hidden email]> writes:
> > On Wed, 2005-05-04 at 09:45 -0400, Brandon S. Allbery KF8NH wrote:
> >> Basically, if I forward tickets, either via krb5 or via GSSAPI, the
> >> forwarded tickets have the originating host's address instead of the
> >> target system's address, making them quite useless.  See the attached
> >> sample (typescript from "telnet -F").
> >
> > So, do I infer this behavior is an intentional feature?
>
> I can't reproduce it. Can you tell me what the krb5_get_forwarded_creds
> ends up putting in addrs ?

Getting a debugging build proved difficult; I'm not sure why...

(gdb) n
203         if (paddrs != NULL) {
(gdb) n
205             ret = getaddrinfo (hostname, NULL, NULL, &ai);
(gdb) n
206             if (ret) {
(gdb) n
213             ret = add_addrs (context, &addrs, ai);
(gdb) n
214             freeaddrinfo (ai);
(gdb) print addrs
$10 = {len = 1, val = 0x6b250}
(gdb) print addrs->val
$11 = (HostAddress *) 0x6b250
(gdb) print addrs->val[0]
$12 = {addr_type = 2, address = {length = 4, data = 0x6aec0}}
(gdb) print addrs->val[0].address.data
$13 = (void *) 0x6aec0
(gdb) print addrs->val[0].address.data[0]
Attempt to dereference a generic pointer.
(gdb) print ((char *)addrs->val[0].address.data)[0]
$14 = -128 '\200'
(gdb) print ((char *)addrs->val[0].address.data)[1]
$15 = 2 '\002'
(gdb) print ((char *)addrs->val[0].address.data)[2]
$16 = -120 '\210'
(gdb) print ((char *)addrs->val[0].address.data)[3]
$17 = -124 '\204'
(gdb) print ((unsigned char *)addrs->val[0].address.data)[2]
$18 = 136 '\210'
(gdb) print ((unsigned char *)addrs->val[0].address.data)[3]
$19 = 132 '\204'

...which looks right for tully.ece.cmu.edu (connection is from hilfy.ece
to tully.ece).  Nevertheless the tickets received on tully still have
hilfy's address.

--
brandon s. allbery   [linux,solaris,freebsd,perl]      [hidden email]
system administrator      [WAY too many hats]        [hidden email]
electrical and computer engineering, carnegie mellon univ.         KF8NH


Loading...