authentication indicators and S4U2Self
Alexander Bokovoy
abokovoy at redhat.com
Thu May 7 02:36:33 EDT 2020
On ke, 06 touko 2020, Greg Hudson wrote:
>On 5/6/20 2:20 PM, Alexander Bokovoy wrote:
>> Together with Isaac we were looking into cross-realm S4U2Self
>> implementation in FreeIPA and I noticed that MIT Kerberos does not allow
>> to issue S4U2Self service ticket to a service protected with
>> an authentication indicator.
>
>I think we can just omit the indicator check for S4U2Self requests.
>Restricting how strong the initial ticket acquisition must have been to
>access a service has nothing to do with the service fetching tickets for
>itself.
Fair enough. As for the indicator for S4U2Self, we can add something
like that in sign_authdata callback in FreeIPA now that 1.18 allows to
modify authentication indicators at that point.
I reviewed https://github.com/krb5/krb5/pull/1067 and it looks good to
me. Thank you!
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
More information about the krbdev
mailing list