[krbdev.mit.edu #1202] KDC rejects unknown flags
Ken Raeburn via RT
rt-comment at krbdev.mit.edu
Thu Dec 12 20:35:02 EST 2002
[hartmans - Thu Dec 12 17:22:45 2002]:
> Love points out that our KDC also rejects the disabled transited check
> option which it does understand.
Yes, that's part of the protection against exploitation of the old
chk_trans.c bug. We shouldn't make the KDC obey this flag
unconditionally without warning admins that they'll need to upgrade
servers that are too old. (Not obeying but not rejecting would probably
be okay.)
More information about the krb5-bugs
mailing list