Patch to ignore service principals when accepting connexions.
Sam Hartman
hartmans at painless-security.com
Wed Aug 25 18:04:13 EDT 2010
>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:
>> We introduced a behavior change in 1.7 so that application no longer
>> examine the service name encoded in a ticket; instead, they look at
>> whether the key matches. This means that you can have KDC-side aliases
Luke> Only if the service passes in GSS_C_NO_CREDENTIAL.
Are you sure?
I thought we always ignored the ticket name, but we did require that the
name stored in the keytab match the name passed in by the application.
Taking a look at the code, we only seem to use the service name in the
ticket if the keytab operations vector doesn't include sequential gets.
That's only true for the kdb keytab.
More information about the krbdev
mailing list