krb5-libs/1022: accept_sec_context() specifies principal to rd_req()
hartmans at MIT.EDU
Mon Apr 8 15:13:00 EDT 2002
>>>>> "Donn" == Donn Cave <donn at u.washington.edu> writes:
Donn> Quoth Sam Hartman <hartmans at MIT.EDU>: | This patch seems
Donn> In principle, though, I don't see this as throwing away
Donn> information. The information in question is "who did I
Donn> authenticate as", and that is available in the context via
Donn> gss_inquire_context(). (I think, haven't verified that.)
Donn> The problem is that currently, krb5_rd_req() goes on to turn
Donn> this information into policy, at a level that's not
Donn> accessible to the application. Like telnetd (which I
Donn> believe checks principal name minus instance), ftpd could
Donn> enforce its own policy in this matter, but it has to get
Donn> past gss_accept_sec_context() first.
OK, but applying this patch would create a security problem for
applications that do not check the service authenticated to and that
have access to keys at multiple trust levels.
More over, I believe it would violate the intended semantics of
GSSAPI. If I get server credentials with a specific name, it would be
inappropriate for those credentials to be valid accepter credentials
for a name that was not equivalent to the name in the server
credentials for some relation relation.
More information about the krbdev