authentication indicators and S4U2Self

Alexander Bokovoy abokovoy at
Thu May 7 02:36:33 EDT 2020

On ke, 06 touko 2020, Greg Hudson wrote:
>On 5/6/20 2:20 PM, Alexander Bokovoy wrote:
>> Together with Isaac we were looking into cross-realm S4U2Self
>> implementation in FreeIPA and I noticed that MIT Kerberos does not allow
>> to issue S4U2Self service ticket to a service protected with
>> an authentication indicator.
>I think we can just omit the indicator check for S4U2Self requests.
>Restricting how strong the initial ticket acquisition must have been to
>access a service has nothing to do with the service fetching tickets for

Fair enough. As for the indicator for S4U2Self, we can add something
like that in sign_authdata callback in FreeIPA now that 1.18 allows to
modify authentication indicators at that point.

I reviewed and it looks good to
me. Thank you!

/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

More information about the krbdev mailing list