gsskrb5: Check dst-TGT pokicy at store time
Our initiator supports configuration-driven delegation of destination
TGTs.
This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.
Currently we use the same appdefault for this.
Background:
A root TGT is one of the form krbtgt/REALM@SAME-REALM.
A destination TGT is a root TGT for the same realm as the acceptor
service's realm.
Normally clients delegate a root TGT for the client's realm.
In some deployments clients may want to delegate destination TGTs as
a form of constrained delegation: so that the destination service
cannot use the delegated credential to impersonate the client
principal to services in its home realm (due to KDC lineage/transit
checks). In those deployments there may not even be a route back to
the KDCs of the client's realm, and attempting to use a
non-destination TGT might even lead to timeouts.
This commit is contained in:
Nicolas Williams
@@ -96,6 +96,7 @@ _gsskrb5_krb5_import_cred(OM_uint32 *minor_status,
|
||||
HEIMDAL_MUTEX_init(&handle->cred_id_mutex);
|
||||
|
||||
handle->usage = 0;
|
||||
handle->destination_realm = NULL;
|
||||
|
||||
if (*id) {
|
||||
time_t now;
|
||||
|
||||
Reference in New Issue
Block a user