Simple ACL wildcard patch

Greg Hudson ghudson at
Fri Aug 29 10:58:10 EDT 2014

I'm moving this to krbdev at  kerberos at is more
user-oriented and isn't specific to MIT krb5.  The original message is at:

On 08/29/2014 05:54 AM, Kenneth MacDonald wrote:
> I have deployed this simple patch (attached) that checks for an asterisk
> at the beginning of the target, but followed by a non-digit.  It then
> matches on the rest of the target.

I think we can do more general wildcard matching using fnmatch(), as
long as the component isn't a back-reference.  I would rather do that
than support a wildcard at the beginning only.

It would be even better if we could do wildcard matching with
back-references mixed in, but that requires a custom fnmatch.

I found two old entries in our bug tracker containing patches for
limited wildcard support, so this is definitely not an unprecedented

> Is this patch small and simple enough to form the basis of a change to
> the core code?  If so, I'll happily patch up the documentation and
> prepare it against trunk.

There are a few issues with this patch, most of which are mooted by the
above.  The biggest thing is that pointers inside krb5_data structures
should not be assumed to be zero-terminated.  In practice,
krb5_parse_name defensively zero-terminates components, so you shouldn't
expect to run into trouble.  But we don't like to rely on that.

If you do decide to work up a patch using fnmatch, and have a github
account or don't mind making one, you can submit a pull request at  There's more information at:

Be aware that we're in the stabilization period for 1.13, so at this
point contributed new features will go into 1.14.

More information about the krbdev mailing list