[RFC] fix bug 12007
simo at samba.org
Wed Jul 6 20:02:00 UTC 2016
On Wed, 2016-07-06 at 09:49 +0200, Stefan Metzmacher wrote:
> Hi Simo,
> > >
> > > >
> > > > What flags are passed in ? Can you point me at the code path
> > > > that
> > > > generates this ?
> > > >
> > > It's in the default gse context flags.
> > > In gse_context_init(), we have:
> > >
> > > gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
> > > *GSS_C_DELEG_FLAG* |
> > This *must* definitely be made conditional IMHO, it is not ok to
> > just
> > send your TGT by default to third parties, it means
> > malicious/compromised 3rd parties can simply grab it and then fully
> > impersonate you to other services.
> It's the KDC's job to check that it trusts the service and include
> the delegated creds only if that's the case.
This is not enforced by the KDC, it is something the
GSS_C_DELEG_POLICY_FLAG does by inspecting the answers from the KDC,
but the KDC itself does not make a hard policy decision, it is up to
the client to follow it.
I know the flag is request (the very next) flag, but I think we should
not ask for delegatable credentials in the first place if we do not
intend to delegate credentials for a specific operation.
Delegating credentials (ie a TGT) should limited to trusted systems and
services (like SSH), all other services can simply use constrained
delegation to perform actions on behalf of users.
More information about the samba-technical