AD-SIGNEDPATH and cross-realm
Greg Hudson
ghudson at MIT.EDU
Thu Feb 4 22:47:51 EST 2010
I committed the two changes I mentioned (not including AD-SIGNEDPATH
when returning a cross-realm TGT and not failing out on a bad
AD-SIGNEDPATH signature).
Based on what Love said, it's possible that we also need to add a check
to disregard AD-SIGNEDPATH, and therefore deny S4U2Proxy requests, if
the delegating service presents a cross-realm TGT in the AP-REQ part of
the TGS. I need to better understand the trust implications of honoring
AD-SIGNEDPATH in that case. I couldn't find a similar check in Heimdal
but I may have just missed it.
More information about the krbdev
mailing list