[RFC] fix bug 12007
Stefan Metzmacher
metze at samba.org
Wed Jul 6 07:49:15 UTC 2016
Hi Simo,
>>> What flags are passed in ? Can you point me at the code path that
>>> generates this ?
>>>
>> It's in the default gse context flags.
>> In gse_context_init(), we have:
>>
>> gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
>> *GSS_C_DELEG_FLAG* |
>
> This *must* definitely be made conditional IMHO, it is not ok to just
> send your TGT by default to third parties, it means
> malicious/compromised 3rd parties can simply grab it and then fully
> impersonate you to other services.
It's the KDC's job to check that it trusts the service and include
the delegated creds only if that's the case.
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160706/b76f9589/signature.sig>
More information about the samba-technical
mailing list