[krbdev.mit.edu #8718] krb5_get_credentials incorrectly matches user to user ticket

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[krbdev.mit.edu #8718] krb5_get_credentials incorrectly matches user to user ticket

Greg Hudson via RT-2
I am inclined towards option 1, because a user-to-user credential is
not useful if you are looking for a regular ticket.

However, it seems that we also tag constrained delegation (S4U2Proxy)
results with the is_skey flag, because kdcrep2creds() just checks
whether there was a second ticket in the request to set that flag.  
So if we always apply the is_skey field match, we break caching of
S4U2Proxy results, causing a test failure (t_s4u.py runs t_s4u, which
fails in check_ticket_count()).

I think setting the is_skey field for S4U2Proxy results is a bug,
since the is_skey field is documented as "true if the ticket is
encrypted in another ticket's skey", and tickets resulting from
S4U2Proxy are encrypted in the service's long-term key.  So I will
look into fixing that bug first.
_______________________________________________
krb5-bugs mailing list
[hidden email]
https://mailman.mit.edu/mailman/listinfo/krb5-bugs