tkt->client must be equal to in_cred->client
hartmans at MIT.EDU
Wed Feb 25 09:45:18 EST 2009
>>>>> "Nikhil" == Nikhil Mishra <nikhilm at gs-lab.com> writes:
Nikhil> Hi All , I have been working on developing client support
Nikhil> for MS S4U extensions in MIT kerberos .
I'd really recommend you sit down and do a project writeup on
k5wiki.kerberos.org; you should have access there.
I think it would be a lot easier for me to evaluate what you're doing
with a reasonably complete design layed out rather than one chunk at a
For example it is not obvious to me that krb5_get_credentials is the
right place to do this. Unfortunately, krb5_get_credentials is not a
very extensible API. the credentials structure is public so it cannot
change. It may well be that when you think through all the options,
this is the best choice; I expect you've thought through these issues,
but the rest of us have not, and as a result have trouble following
Nikhil> 2. In krb5_get_cred_via_tkt() there is a strict checking
Nikhil> /* tkt->client must be equal to in_cred->client */ if
Nikhil> (!krb5_principal_compare(context, tkt->client,
Nikhil> in_cred->client)) return KRB5_PRINC_NOMATCH;
Nikhil> Why are we checking for this equality here ?
As best I can tell, it's a local sanity check. in_cred->client is the
client identity on whose behalf you're getting a ticket. In the
Kerberos protocol without SX4U that identity only appears in the
ticket. So if that check is not present, the API effectively has a
client parameter that is never actually checked.
I think relaxing the check in the SX4U case would be reasonable.
Since krb5_get_cred_via_tkt is an internal API, it might also be
reasonable to move the check into its callers if they are in a better
position to know whether SX4U is happening.
More information about the krbdev