[krbdev.mit.edu #8479] [Comment] Resource Based Constrained Delegation support
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Aug 26 13:17:31 EDT 2019
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8479
This is a comment. It is not sent to the Requestor(s):
Isaac Boukris has implemented client and KDC support, which is at or near
completion.
The client must send a PA-PAC-OPTIONS pa-data item with the bit set for RBCD
support. If the KDC responds to an S4U2Proxy request with a referral, the
client must follow the referral path to the destination realm twice, once to
get a cross-TGT with its own authdata and once to get a cross-TGT with the
impersonated client's authdata. The client must then make an S4U2Proxy request
to the destination realm with the second cross-TGT as the evidence ticket. This
is described in [MS-SFU] 3.1.5.2.2.
The KDC needs a new DAL method to authorize S4U2Proxy requests at the target
principal entry (with the intermediate service name as a parameter). We will
call this method allowed_to_delegate_from(). The KDC also needs a way to read
the client name out of the PAC for the final S4U2Proxy request. This will be
implemented via a second new DAL method get_authdata_info(); this method can
also return an opaque representation of the PAC (or other authorization data)
for consumption by sign_authdata() and allowed_to_delegate_from(), to avoid
repeat parsing.
More information about the krb5-bugs
mailing list