[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Forwarding bug for addressfull tickets in 1.0.x and 1.1rcX (and probable cause)
This should be fixed in heimdal 1.1
18 jan 2008 kl. 06.48 skrev Harald Barth:
> Since 1.x the ticketfull forwarding in rsh and telnet is broken for a
> certain setup. It works in 0.7.2. Let me describe the setup:
> 1. client: empty krb5.conf (default addressless tickets)
> 2. client: kinit -f --addr user@REALM (use gets addressfull tickets
> with command line option)
> 3. client: rsh -f server klist -v
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: user@REALM
> Cache version: 4
> Server: krbtgt/REALM@REALM
> Ticket etype: des3-cbc-sha1, kvno 5
> Auth time: Jan 18 14:27:18 2008
> Start time: Jan 18 15:30:45 2008
> End time: Jan 19 00:27:18 2008
> Ticket flags: forwarded, transited-policy-checked
> Addresses: IPv4: A.B.C.D
> shows the A.B.C.D IP addr of client instead of the server in the
> forwarded ticket.
> I think I found out why....
> lib/krb5/get_for_creds.c contains
> krb5_boolean noaddr;
> krb5_appdefault_boolean(context, NULL, realm,
> "no-addresses", KRB5_ADDRESSLESS_DEFAULT,
> if (noaddr)
> paddrs = NULL;
> which sets noaddr = 1 and paddrs = NULL in the above environment.
> As there _are_ addrs in the ticket, this decision is wrong and
> will screw up the ticket forwarding later. The decision to fuss
> around with addrs in the ticket must be made on the fact if there
> are addrs in the ticket, not on some global environment setting.
> In effect this code _prohibits_ the more safety aware user to
> use addressfull tickets on a default configured computer.
> The workaround is to globally make addressfull tickets hostwide
> configured default again (as 0.7.2).
> no-addresses = false