[krbdev.mit.edu #8718] krb5_get_credentials incorrectly matches user to user ticket
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Fri Aug 3 10:37:40 EDT 2018
I am inclined towards option 1, because a user-to-user credential is
not useful if you are looking for a regular ticket.
However, it seems that we also tag constrained delegation (S4U2Proxy)
results with the is_skey flag, because kdcrep2creds() just checks
whether there was a second ticket in the request to set that flag.
So if we always apply the is_skey field match, we break caching of
S4U2Proxy results, causing a test failure (t_s4u.py runs t_s4u, which
fails in check_ticket_count()).
I think setting the is_skey field for S4U2Proxy results is a bug,
since the is_skey field is documented as "true if the ticket is
encrypted in another ticket's skey", and tickets resulting from
S4U2Proxy are encrypted in the service's long-term key. So I will
look into fixing that bug first.
More information about the krb5-bugs
mailing list