[krbdev.mit.edu #8547] Allow client principal canonicalization for non-TGT AS requests
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Tue Feb 7 11:51:16 EST 2017
get_in_tkt.c:verify_as_reply() allows changes to the client and server
principals in the reply under certain conditions. We only allow changes
to the server principal if the requested and received server principal
are krbtgt principals, in order to mitigate some of the attacks
described in the security considerations of RFC 6806. However, we also
disallow changes to the client principal for non-krbtgt requests, which
does not seem to have any rationale. See:
http://mailman.mit.edu/pipermail/krbdev/2017-February/012721.html
More information about the krb5-bugs
mailing list