[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Forwarding bug for addressfull tickets in 1.0.x and 1.1rcX (and probable cause)
Hi Harald,
This should be fixed in heimdal 1.1
Thanks,
Love
18 jan 2008 kl. 06.48 skrev Harald Barth:
>
> Since 1.x the ticketfull forwarding in rsh and telnet is broken for a
> certain setup. It works in 0.7.2. Let me describe the setup:
>
> 1. client: empty krb5.conf (default addressless tickets)
>
> 2. client: kinit -f --addr user@REALM (use gets addressfull tickets
> with command line option)
>
> 3. client: rsh -f server klist -v
>
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: user@REALM
> Cache version: 4
>
> Server: krbtgt/REALM@REALM
> Ticket etype: des3-cbc-sha1, kvno 5
> Auth time: Jan 18 14:27:18 2008
> Start time: Jan 18 15:30:45 2008
> End time: Jan 19 00:27:18 2008
> Ticket flags: forwarded, transited-policy-checked
> Addresses: IPv4: A.B.C.D
>
> shows the A.B.C.D IP addr of client instead of the server in the
> forwarded ticket.
>
> I think I found out why....
>
> lib/krb5/get_for_creds.c contains
>
> krb5_get_forwarded_creds(...)
> ...
> {
> krb5_boolean noaddr;
> krb5_appdefault_boolean(context, NULL, realm,
> "no-addresses", KRB5_ADDRESSLESS_DEFAULT,
> &noaddr);
> if (noaddr)
> paddrs = NULL;
> }
>
> ...
>
> which sets noaddr = 1 and paddrs = NULL in the above environment.
> As there _are_ addrs in the ticket, this decision is wrong and
> will screw up the ticket forwarding later. The decision to fuss
> around with addrs in the ticket must be made on the fact if there
> are addrs in the ticket, not on some global environment setting.
> In effect this code _prohibits_ the more safety aware user to
> use addressfull tickets on a default configured computer.
>
> The workaround is to globally make addressfull tickets hostwide
> configured default again (as 0.7.2).
>
> krb5.conf:
> [appdefaults]
> no-addresses = false
>
> Harald.