honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?
Greg Hudson
ghudson at mit.edu
Tue Apr 30 18:01:51 EDT 2024
On 4/30/24 12:49, Ken Hornstein via Kerberos wrote:
> First off, I would advise you to NOT look at upstream Heimdal, because
> that's not helpful because it's not actually the code in question.
> Instead maybe look at the actual Heimdal source code used on MacOS X?
To expand on this: the Apple forks of open-source projects are available
at opensource.apple.com, and at
https://github.com/apple-oss-distributions (not sure if the latter is
official or community-maintained).
I looked at the Apple fork of Heimdal and didn't find any obvious code
change to honor ok-as-delegate by default. In fact, it doesn't even
implement enforce_ok_as_delegate. But both versions do implement a
ccache config setting called "realm-config" and enforce ok-as-delegate
if the 1 bit is set in the first byte of the value. Nothing in Heimdal
or Apple's fork of it sets realm-config, but the macOS native ccache
implementation or login system might do so. James could perhaps this
test theory by setting KRB5CCNAME to FILE:something, running kinit -f,
and seeing if ssh will forward those tickets.
More information about the Kerberos
mailing list