oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Never store TGT "aliases"

Browse Source 
When obtaining a remote TGT krbtgt/REALM2@REALM2, an intermediate
cross-realm TGT obtained for krbtgt/REALM2@REALM1 is not equivalent
to the TGT we seek, and must not be stored under its name.
This commit is contained in:
Viktor Dukhovni
2017-04-10 21:25:11 +00:00
committed by Nico Williams
parent f468c2fed1
commit 10f3ab0f2a
1 changed files with 2 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/krb5/get_cred.c
View File

@@ -1218,7 +1218,8 @@ static void
store_cred(krb5_context context, krb5_ccache ccache,
krb5_const_principal server_princ, krb5_creds *creds)
{
if (!krb5_principal_compare(context, creds->server, server_princ)) {
if (!krb5_principal_compare(context, creds->server, server_princ) &&
!krb5_principal_is_krbtgt(context, server_princ)) {
krb5_principal tmp_princ = creds->server;
/*
* Store the cred with the pre-canon server princ first so it