krb5-libs/1022: accept_sec_context() specifies principal to rd_req()

[Sam Hartman]

>>>>> "Donn" == Donn Cave <donn at u.washington.edu> writes:

    Donn> Quoth Sam Hartman <hartmans at MIT.EDU>: | This patch seems
    Donn> In principle, though, I don't see this as throwing away
    Donn> information.  The information in question is "who did I
    Donn> authenticate as", and that is available in the context via
    Donn> gss_inquire_context().  (I think, haven't verified that.)
    Donn> The problem is that currently, krb5_rd_req() goes on to turn
    Donn> this information into policy, at a level that's not
    Donn> accessible to the application.  Like telnetd (which I
    Donn> believe checks principal name minus instance), ftpd could
    Donn> enforce its own policy in this matter, but it has to get
    Donn> past gss_accept_sec_context() first.

OK, but applying this patch would create a security problem for
applications that do not check the service authenticated to and that
have access to keys at multiple trust levels.

More over, I believe it would violate the intended semantics of
GSSAPI.  If I get server credentials with a specific name, it would be
inappropriate for those credentials to be valid accepter credentials
for a name that was not equivalent to the name in the server
credentials for some relation relation.