[krbdev.mit.edu #6764] has_mandatory_for_kdc_authdata checks only first authdata element
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Thu Sep 2 11:39:27 EDT 2010
A brief security analysis:
For application servers, authdata elements are supposed to be mandatory
by default, meaning the server should reject the request if it doesn't
understand the authdata. For KDCs, authdata elements are only mandatory
if they are embedded in a MANDATORY-FOR-KDC container.
Because of this bug, the KDC might not properly reject a request which
contains a MANDATORY-FOR-KDC container. This is no worse than the
behavior in 1.7 and prior, so this does not constitute a serious security
issue. I'm not aware of any defined authdata types which make use of
MANDATORY-FOR-KDC.
More information about the krb5-bugs
mailing list