krb5-kdc/1149: KDC client lockout for DISALLOW_ALL_TIX or expiration
tlyu@MIT.EDU
tlyu at MIT.EDU
Fri Aug 16 17:00:27 EDT 2002
>Number: 1149
>Category: krb5-kdc
>Synopsis: KDC client lockout for DISALLOW_ALL_TIX or expiration
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: krb5-unassigned
>State: open
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Fri Aug 16 17:01:00 EDT 2002
>Last-Modified:
>Originator: Tom Yu
>Organization:
mit
>Release: 1.2.6
>Environment:
System: SunOS saint-elmos-fire.mit.edu 5.8 Generic_108528-13 sun4u sparc SUNW,Ultra-5_10
Architecture: sun4
>Description:
The KDC doesn't check the client principal for
DISALLOW_ALL_TIX or for expiration. This happens while handling krb5
TGS_REQ or krb4 APPL_REQ, or when converting a krb5 ticket to krb4.
>How-To-Repeat:
>Fix:
Code needs to be written to check for the local realm in the
client principal, and to do the lookup and flag/expiration check.
>Audit-Trail:
>Unformatted:
More information about the krb5-bugs
mailing list