[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Renewing forwarded TGTs
Andreas Haupt <ahaupt@ifh.de> writes:
> Hello,
>
> some people at our site request the possibility to renew forwarded TGTs.
> The problem is that only initial tickets are renewable - forwarded aren't.
>
> Is there a special option I missed or is it simply not possible (for
> security reasons, ...) to do this?
Its a bug/mis-feature.
I've not fixed it since I find it unclear how krb5_fwd_tgt_creds and
krb5_get_forwarded_creds should work.
Love
--- lib/krb5/get_for_creds.c
+++ lib/krb5/get_for_creds.c
@@ -35,6 +35,21 @@
RCSID("$Id: get_for_creds.c,v 1.41 2004/01/05 15:17:25 lha Exp $");
+static int
+ticketflags2kdc_opt(TicketFlags ticketflags)
+{
+ int flags = 0;
+ if (ticketflags.forwardable)
+ flags |= KDC_OPT_FORWARDABLE;
+ if (ticketflags.proxiable)
+ flags |= KDC_OPT_PROXIABLE;
+ if (ticketflags.may_postdate)
+ flags |= KDC_OPT_ALLOW_POSTDATE;
+ if (ticketflags.renewable)
+ flags |= KDC_OPT_RENEWABLE_OK;
+ return flags;
+}
+
static krb5_error_code
add_addrs(krb5_context context,
krb5_addresses *addr,
@@ -195,8 +210,13 @@
realm,
&ticket);
if(ret == 0) {
+ krb5_flags t;
if (ticket->addresses.len == 0)
paddrs = NULL;
+ t = ticketflags2kdc_opt(ticket->flags.b);
+ if ((flags & KDC_OPT_FORWARDABLE) == 0)
+ t &= ~KDC_OPT_FORWARDABLE;
+ flags |= t;
krb5_free_creds (context, ticket);
}
@@ -216,7 +236,9 @@
return ret;
}
- kdc_flags.i = flags;
+ flags |= KDC_OPT_FORWARDED;
+
+ kdc_flags.b = int2KDCOptions(flags);
ret = krb5_get_kdc_cred (context,
ccache,
PGP signature