honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

Greg Hudson ghudson at mit.edu
Tue Apr 30 18:01:51 EDT 2024


On 4/30/24 12:49, Ken Hornstein via Kerberos wrote:
> First off, I would advise you to NOT look at upstream Heimdal, because
> that's not helpful because it's not actually the code in question.
> Instead maybe look at the actual Heimdal source code used on MacOS X?

To expand on this: the Apple forks of open-source projects are available 
at opensource.apple.com, and at 
https://github.com/apple-oss-distributions (not sure if the latter is 
official or community-maintained).

I looked at the Apple fork of Heimdal and didn't find any obvious code 
change to honor ok-as-delegate by default.  In fact, it doesn't even 
implement enforce_ok_as_delegate.  But both versions do implement a 
ccache config setting called "realm-config" and enforce ok-as-delegate 
if the 1 bit is set in the first byte of the value.  Nothing in Heimdal 
or Apple's fork of it sets realm-config, but the macOS native ccache 
implementation or login system might do so.  James could perhaps this 
test theory by setting KRB5CCNAME to FILE:something, running kinit -f, 
and seeing if ssh will forward those tickets.


More information about the Kerberos mailing list