[kitten] Checking the transited list of a kerberos ticket in a transitive cross-realm trust situation...
Greg Hudson
ghudson at mit.edu
Mon Aug 21 14:05:45 UTC 2017
On 08/18/2017 08:35 AM, Stefan Metzmacher wrote:
> While thinking about this I can't see any value in checking the
> transited list of the ticket. As that list is always under the
> control of the KDC that issued the ticket. And the service
> trusts it's own KDC anyway, as well as any KDC in the trust
> chain trusts the next hop. The only reason for this list
> might be debugging.
I'm not sure about "any KDC in the trust chain trusts the next hop."
RFC 4120 doesn't think about cross-realm relationships in terms of
trust. Simply having cross-realm keys with another realm doesn't
necessarily imply that the other realm is trustworthy.
> Is there any reason to keep the krb5_check_transited() (in Heimdal)
> and krb5_check_transited_list() (in MIT) is their current form?
Well, it's mandatory in RFC 4120 section 2.7:
Application servers MUST either do the transited-realm checks
themselves or reject cross-realm tickets without
TRANSITED-POLICY-CHECKED set.
It would be okay to skip this check on application servers if the ticket
has the TRANSITED-POLICY-CHECKED flag. Heimdal appears to do this but
MIT krb5 does not; I'm not sure why as that behavior dates to before my
time.
More information about the samba-technical
mailing list