[krbdev.mit.edu #6555] k5_pac_validate_client()
Luke Howard via RT
rt-comment at krbdev.mit.edu
Tue Sep 1 21:30:13 EDT 2009
> Bug in 1.7 in k5_pac_validate_client(), in 1.7. It would be nice to
> fix this for 1.7.1.
>
> The issue is that PACs from principals in different realms to the
> service fail to validate.
>
> The fix to pac.c is to ignore the realm component (because the
> principal name in the PAC is unqualified):
>
> if (pac_authtime != authtime ||
> !krb5_principal_compare_flags(context,
> pac_principal,
> principal,
>
> KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
> ret = KRB5KRB_AP_WRONG_PRINC;
>
> -- Luke
> --
> www.padl.com | www.fghr.net
More information about the krb5-bugs
mailing list