[krbdev.mit.edu #1230] Transited realm handling

Tom Yu tlyu at MIT.EDU
Tue Oct 29 18:24:01 EST 2002

>>>>> "hartmans" == Sam Hartman <hartmans at MIT.EDU> writes:

hartmans> We could include an additional fix to better deal with
hartmans> encodings that include a trailing null received from other
hartmans> KDCs.

I would support ignoring of NULs in the transited field.

hartmans> The disadvantage is that we would consider realms differing
hartmans> only in a trailing null character the same for trust
hartmans> comparisons.  Also, it is not clear how useful the fix will
hartmans> be since I think our current KDC code will always force a
hartmans> non-null transited encoding to fail the cross-realm policy
hartmans> check.

RFC 1510 forbade NULs in realm names, so this shouldn't create a
security issue.  Failing to ignore NULs in transited fields basically
forces all realms involved in a transitive cross-realm authentication
to be running code that doesn't insert the NUL characters.


More information about the krbdev mailing list