svn rev #21744: trunk/src/lib/kadm5/clnt/

rra@MIT.EDU rra at MIT.EDU
Tue Jan 13 19:29:05 EST 2009


http://src.mit.edu/fisheye/changelog/krb5/?cs=21744
Commit By: rra
Log Message:
Ticket: 6337

Force tickets acquired by the kadm5 client library via password
authentication to be non-forwardable and non-proxiable, overridding
any [libdefaults] configuration.  This may be necessary at sites that
set forwardable to true by default in their krb5.conf files but
disable forwardable tickets for privileged principals.  Since the
ticket cache acquired by the kadm5 client library is used only for
kadmin operations, where forwardable is not useful or necessary, there
is no reason to ever attempt to obtain forwardable or proxiable tickets
here.



Changed Files:
U   trunk/src/lib/kadm5/clnt/client_init.c
Modified: trunk/src/lib/kadm5/clnt/client_init.c
===================================================================
--- trunk/src/lib/kadm5/clnt/client_init.c	2009-01-13 23:10:48 UTC (rev 21743)
+++ trunk/src/lib/kadm5/clnt/client_init.c	2009-01-14 00:29:04 UTC (rev 21744)
@@ -541,8 +541,12 @@
 	     goto error;
      }
 
-     if (init_type != INIT_CREDS)
+     /* Credentials for kadmin don't need to be forwardable or proxiable. */
+     if (init_type != INIT_CREDS) {
 	  krb5_get_init_creds_opt_init(&opt);
+	  krb5_get_init_creds_opt_set_forwardable(&opt, 0);
+	  krb5_get_init_creds_opt_set_proxiable(&opt, 0);
+     }
 
      if (init_type == INIT_PASS) {
 	  code = krb5_get_init_creds_password(ctx, &outcreds, client, pass,




More information about the cvs-krb5 mailing list