Re: kpasswd w/forwardable

[Assar Westerlund <assar@sics.se>]

David Nerenberg <david2@email.mot.com> writes:
> Upon investigation, I see that the kadmin/changepw principal has
> "disallow-forwardable" set as an attribute.  This brings me to two
> questions, first, why is this set?  Just because a ticket is
> forwardable doesn't mean it was forwarded from another realm, so why
> is this bad?

Basically, because there's only a `forwardable' bit in the database.
As long as you can't issue forwardable tickets you should not get
forwarded ones either.  And besides, it doesn't seem to hurt.

> Second, with this setup, how could I force kpasswd to get a
> non-forwardable ticket for its use?

With the included patch. :-)

> (For that matter, how would I even get kinit to get a
> non-forwardable ticket, I only see options to get a forwardable one
> - this appears to assume the default is not to get a forwardable)

With `--forwardable=no' or `--no-forwardable', this works with all
long options.  There's no short option, but you can abbreviate it as
long as it's unique (so actually `--no-f' works).

/assar
Index: kpasswd.c
===================================================================
RCS file: /afs/pdc.kth.se/src/packages/kth-krb/SourceRepository/heimdal/kpasswd/kpasswd.c,v
retrieving revision 1.20
diff -u -w -u -w -r1.20 kpasswd.c
--- kpasswd.c	1999/12/02 17:05:00	1.20
+++ kpasswd.c	2000/01/28 03:09:59
@@ -79,6 +79,8 @@
     krb5_get_init_creds_opt_init (&opt);
     
     krb5_get_init_creds_opt_set_tkt_life (&opt, 300);
+    krb5_get_init_creds_opt_set_forwardable (&opt, FALSE);
+    krb5_get_init_creds_opt_set_proxiable (&opt, FALSE);
 
     argc -= optind;
     argv += optind;