Patch to ignore service principals when accepting connexions.
Sam Hartman
hartmans at painless-security.com
Wed Aug 25 19:11:50 EDT 2010
>>>>> "Luke" == Luke Howard <lukeh at padl.com> writes:
>> Taking a look at the code, we only seem to use the service name in the
>> ticket if the keytab operations vector doesn't include sequential gets.
>> That's only true for the kdb keytab.
Luke> From rd_req_dec.c:
Luke> if (server != NULL || keytab->ops->start_seq_get == NULL) {
Luke> ...
Yes, but a couple of lines down:
if (server != NULL || keytab->ops->start_seq_get == NULL) {
retval = krb5_kt_get_entry(context, keytab,
server != NULL ? server : req->ticket->server,
req->ticket->enc_part.kvno,
req->ticket->enc_part.enctype, &ktent);
Note that the name from the ticket is only used if server is null.
More information about the krbdev
mailing list