Adding new principal attributes?
Luke Howard
lukeh at padl.com
Thu Oct 6 02:23:45 EDT 2011
On 06/10/2011, at 5:15 PM, Nico Williams wrote:
> I have a need for a principal attribute that indicates that the given
> principal cannot handle large tickets, which should then cause the TGS
> to strip out large non-critical authorization-data (e.g., the PAC).
You could use KRB5_KDB_NO_AUTH_DATA_REQUIRED. See handle_kdb_authdata:
/*
* Check whether KDC issued authorization data should be included.
* A server can explicitly disable the inclusion of authorization
* data by setting the KRB5_KDB_NO_AUTH_DATA_REQUIRED flag on its
* principal entry. Otherwise authorization data will be included
* if it was present in the TGT, the client is from another realm
* or protocol transition/constrained delegation was used, or, in
* the AS-REQ case, if the pre-auth data indicated the PAC should
* be present.
*/
if (tgs_req) {
assert(enc_tkt_request != NULL);
if (isflagset(server->attributes, KRB5_KDB_NO_AUTH_DATA_REQUIRED))
return 0;
if (enc_tkt_request->authorization_data == NULL &&
!isflagset(flags, KRB5_KDB_FLAG_CROSS_REALM | KRB5_KDB_FLAGS_S4U))
return 0;
assert(enc_tkt_reply->times.authtime == enc_tkt_request->times.authtime);
} else {
if (!isflagset(flags, KRB5_KDB_FLAG_INCLUDE_PAC))
return 0;
}
-- Luke
More information about the krbdev
mailing list