tgs-req: strip forwardable and proxiable if the server is disallowed
This commit is contained in:

committed by
Jeffrey Altman

parent
921d528d8b
commit
839b073fac
@@ -912,6 +912,12 @@ tgs_make_reply(astgs_request_t r,
|
||||
et.flags.hw_authent = tgt->flags.hw_authent;
|
||||
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
|
||||
|
||||
/* See MS-KILE 3.3.5.1 */
|
||||
if (!server->entry.flags.forwardable)
|
||||
et.flags.forwardable = 0;
|
||||
if (!server->entry.flags.proxiable)
|
||||
et.flags.proxiable = 0;
|
||||
|
||||
/*
|
||||
* For anonymous tickets, we should filter out positive authorization data
|
||||
* that could reveal the client's identity, and return a policy error for
|
||||
|
@@ -460,6 +460,10 @@ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -f | grep ${server} | grep FRA > /dev/null || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "Testing strip of forwardable when the server is disallowed in TGS-REQ"
|
||||
${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -f | grep sensitive | grep FRA > /dev/null && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "Specific enctype"; > messages.log
|
||||
${kinit} --password-file=${objdir}/foopassword \
|
||||
|
Reference in New Issue
Block a user