[krbdev.mit.edu #7709] Wrong order in kdc_check_transited_list()
Sumit Bose via RT
rt-comment at krbdev.mit.edu
Wed Sep 25 11:16:42 EDT 2013
On Wed, Sep 25, 2013 at 10:45:22AM -0400, Greg Hudson via RT wrote:
> I have a patch in review for this and expect to push it later today.
>
> This will be a semantic change to check_transited_realms; a module will
> have to return KRB5_PLUGIN_NO_HANDLE to invoke the core transited-
> checking rules instead of just returning 0. I think that's okay since
> the KDB interface is still private and the check_transited_realms method
> is still pretty obscure within that interface.
>
I wonder if this can be improved by checking if the two realms are in
the same hierarchy first and calling the core functionality for this
first. If they are not in a hierarchy the module will be called and if
KRB5_PLUGIN_NO_HANDLE is returned the capaths based transited checking
will be called.
This would have the advantage that the module only has to handle the
non-hierarchical case and the [capaths] section only has to define the
non-hierarchical cases. Because if I see it correctly if [capaths] are
defined in krb5.conf the hierarchical relationships must be defined in
the [capaths] as well.
bye,
Sumit
More information about the krb5-bugs
mailing list