tgs-req: strip forwardable and proxiable if the server is disallowed
This commit is contained in:
Isaac Boukris
committed by
Jeffrey Altman
Jeffrey Altman
parent
921d528d8b
commit
839b073fac
@@ -912,6 +912,12 @@ tgs_make_reply(astgs_request_t r,
|
|||||||
et.flags.hw_authent = tgt->flags.hw_authent;
|
et.flags.hw_authent = tgt->flags.hw_authent;
|
||||||
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
|
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
|
||||||
|
|
||||||
|
/* See MS-KILE 3.3.5.1 */
|
||||||
|
if (!server->entry.flags.forwardable)
|
||||||
|
et.flags.forwardable = 0;
|
||||||
|
if (!server->entry.flags.proxiable)
|
||||||
|
et.flags.proxiable = 0;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* For anonymous tickets, we should filter out positive authorization data
|
* For anonymous tickets, we should filter out positive authorization data
|
||||||
* that could reveal the client's identity, and return a policy error for
|
* that could reveal the client's identity, and return a policy error for
|
||||||
|
|||||||
@@ -460,6 +460,10 @@ ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
|
|||||||
${klist} -f | grep ${server} | grep FRA > /dev/null || \
|
${klist} -f | grep ${server} | grep FRA > /dev/null || \
|
||||||
{ ec=1 ; eval "${testfailed}"; }
|
{ ec=1 ; eval "${testfailed}"; }
|
||||||
|
|
||||||
|
echo "Testing strip of forwardable when the server is disallowed in TGS-REQ"
|
||||||
|
${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||||
|
${klist} -f | grep sensitive | grep FRA > /dev/null && \
|
||||||
|
{ ec=1 ; eval "${testfailed}"; }
|
||||||
|
|
||||||
echo "Specific enctype"; > messages.log
|
echo "Specific enctype"; > messages.log
|
||||||
${kinit} --password-file=${objdir}/foopassword \
|
${kinit} --password-file=${objdir}/foopassword \
|
||||||
|
|||||||
Reference in New Issue
Block a user