[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...

Greg Hudson ghudson at mit.edu
Fri Sep 27 11:01:18 EDT 2019

On 9/25/19 4:09 AM, Stefan Metzmacher wrote:
> I just realized that verifying the PAC gains no additional protection.
> As the client realm, client principal and transited fields is
> in the encrypted part of the ticket, which is encrypted with the machine
> trust password.

I don't think this follows.  It's true that the PAC, client principal,
and transited list are all coming from the service's KDC with integrity
protection, but the question is to what degree the KDC is vouching for
that information.

If the TRANSITED-POLICY-CHECKED flag is not set in the ticket, the
service should assume that the KDC applied no policy to the transit
path.  In practice, the DISABLE-TRANSITED-CHECK request flag, together
with MS-KILE, means that it is easy to get most KDCs not to
apply policy.  Without policy controls, any realm in the transitive
closure of cross-realm keys can issue tickets for clients in any other
realm (except perhaps the service realm itself).

The PAC contents, on the other hand, may be subject to policy controls.

> I implemented GSS_KRB5_CRED_NO_TRANSIT_CHECK_X for
> MIT, Heimdal (both upstream and Samba) and make use of
> it in Samba.
> So we need to push it Heimdal first in order to avoid
> conflicts later.

>From past discussions I would not expect the Heimdal project to take
action on a patch in an email attachment sent to the discussion list.  I
would suggest making a pull request at
https://github.com/heimdal/heimdal .

More information about the krbdev mailing list