[krbdev.mit.edu #1202] KDC rejects unknown flags

[Sam Hartman via RT]

>>>>> "Ken" == Ken Raeburn via RT <rt-comment at krbdev.mit.edu> writes:

    Ken> [hartmans - Thu Dec 12 17:22:45 2002]:
    >> Love points out that our KDC also rejects the disabled
    >> transited check option which it does understand.

    Ken> Yes, that's part of the protection against exploitation of
    Ken> the old chk_trans.c bug.  We shouldn't make the KDC obey this
    Ken> flag unconditionally without warning admins that they'll need
    Ken> to upgrade servers that are too old.  (Not obeying but not
    Ken> rejecting would probably be okay.)

I think that doing so for 1.3 would be fine, particularly if we get
our act together and document it and publish the CERT advisory.