[krbdev.mit.edu #6337] kadmin should force non-forwardable tickets
Russ Allbery via RT
rt-comment at krbdev.mit.edu
Tue Jan 13 15:46:55 EST 2009
"Russ Allbery <rra at stanford.edu> via RT" <rt-comment at krbdev.mit.edu>
writes:
> In kadm5_gic_iter() when authenticating with a password, the client
> library sets up krb5_get_init_creds_opt structure but doesn't set any
> parameters in it. Since the acquired credentials are going into a
> memory cache specific to that client invocation, forwardable tickets are
> pointless. I think the kadmin client library should therefore force the
> forwardable option (and probably the proxiable option and renewable
> time) to false.
Here's a patch. Let me know if this looks good and I'll check it in.
Index: client_init.c
===================================================================
--- src/lib/kadm5/clnt/client_init.c (revision 21740)
+++ src/lib/kadm5/clnt/client_init.c (working copy)
@@ -541,8 +541,12 @@
goto error;
}
- if (init_type != INIT_CREDS)
+ /* Credentials for kadmin don't need to be forwardable or proxiable. */
+ if (init_type != INIT_CREDS) {
krb5_get_init_creds_opt_init(&opt);
+ krb5_get_init_creds_opt_set_forwardable(&opt, 0);
+ krb5_get_init_creds_opt_set_proxiable(&opt, 0);
+ }
if (init_type == INIT_PASS) {
code = krb5_get_init_creds_password(ctx, &outcreds, client, pass,
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the krb5-bugs
mailing list