[krbdev.mit.edu #8479] git commit
Greg Hudson via RT
rt at KRBDEV-PROD-APP-1.mit.edu
Mon Sep 9 10:33:25 EDT 2019
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8479 >
S4U2Proxy evidence tickets needn't be forwardable
With the introduction of resource-based constrained delegation, the
absence of the forwardable flag no longer implies that a ticket cannot
be used for constrained delegation requests.
Instead, we should check in the PAC to see if the user is marked as
sensitive, and error out in that case rather than making a failed
request. But we don't always have access to the PAC and we currently
do not have the code to retrieve this attribute from the PAC.
Since krb5_get_credentials_for_proxy() no longer needs to look at the
decrypted ticket, change kvno to not require a keytab for constrained
delegation.
[ghudson at mit.edu: made minor style changes and commit message edits;
updated documentation]
https://github.com/krb5/krb5/commit/e131d339b81a22bfc91ab96990c3be9e7779200e
Author: Isaac Boukris <iboukris at gmail.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: e131d339b81a22bfc91ab96990c3be9e7779200e
Branch: master
doc/appdev/gssapi.rst | 35 ++++++++++---------------
src/clients/kvno/kvno.c | 40 ++++++++++++++---------------
src/lib/gssapi/krb5/accept_sec_context.c | 3 +-
src/lib/gssapi/krb5/init_sec_context.c | 1 -
src/lib/gssapi/krb5/s4u_gss_glue.c | 14 ++--------
src/lib/krb5/krb/s4u_creds.c | 16 +++--------
src/tests/gssapi/t_s4u.py | 25 ++++++++----------
7 files changed, 53 insertions(+), 81 deletions(-)
More information about the krb5-bugs
mailing list