gsskrb5: Check dst-TGT pokicy at store time
Our initiator supports configuration-driven delegation of destination
TGTs.
This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.
Currently we use the same appdefault for this.
Background:
A root TGT is one of the form krbtgt/REALM@SAME-REALM.
A destination TGT is a root TGT for the same realm as the acceptor
service's realm.
Normally clients delegate a root TGT for the client's realm.
In some deployments clients may want to delegate destination TGTs as
a form of constrained delegation: so that the destination service
cannot use the delegated credential to impersonate the client
principal to services in its home realm (due to KDC lineage/transit
checks). In those deployments there may not even be a route back to
the KDCs of the client's realm, and attempting to use a
non-destination TGT might even lead to timeouts.
This commit is contained in:
Nicolas Williams
@@ -268,6 +268,7 @@ _gsskrb5_import_cred(OM_uint32 * minor_status,
|
||||
}
|
||||
|
||||
handle->usage = GSS_C_INITIATE;
|
||||
handle->destination_realm = NULL;
|
||||
krb5_cc_get_principal(context, id, &handle->principal);
|
||||
handle->ccache = id;
|
||||
handle->cred_flags = flags;
|
||||
|
||||
Reference in New Issue
Block a user