[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

[Greg Hudson]

On 08/18/2017 08:35 AM, Stefan Metzmacher wrote:
> While thinking about this I can't see any value in checking the
> transited list of the ticket. As that list is always under the
> control of the KDC that issued the ticket. And the service
> trusts it's own KDC anyway, as well as any KDC in the trust
> chain trusts the next hop. The only reason for this list
> might be debugging.

I'm not sure about "any KDC in the trust chain trusts the next hop."
RFC 4120 doesn't think about cross-realm relationships in terms of
trust.  Simply having cross-realm keys with another realm doesn't
necessarily imply that the other realm is trustworthy.

> Is there any reason to keep the krb5_check_transited() (in Heimdal)
> and krb5_check_transited_list() (in MIT) is their current form?

Well, it's mandatory in RFC 4120 section 2.7:

   Application servers MUST either do the transited-realm checks
   themselves or reject cross-realm tickets without
   TRANSITED-POLICY-CHECKED set.

It would be okay to skip this check on application servers if the ticket
has the TRANSITED-POLICY-CHECKED flag.  Heimdal appears to do this but
MIT krb5 does not; I'm not sure why as that behavior dates to before my
time.