oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

gsskrb5: Check dst-TGT pokicy at store time

Browse Source 
Our initiator supports configuration-driven delegation of destination
TGTs.

This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.

Currently we use the same appdefault for this.

Background:

    A root TGT is one of the form krbtgt/REALM@SAME-REALM.

    A destination TGT is a root TGT for the same realm as the acceptor
    service's realm.

    Normally clients delegate a root TGT for the client's realm.

    In some deployments clients may want to delegate destination TGTs as
    a form of constrained delegation: so that the destination service
    cannot use the delegated credential to impersonate the client
    principal to services in its home realm (due to KDC lineage/transit
    checks).  In those deployments there may not even be a route back to
    the KDCs of the client's realm, and attempting to use a
    non-destination TGT might even lead to timeouts.
This commit is contained in:
Nicolas Williams
2020-06-21 16:34:11 -05:00
parent 73e54c4731
commit a684e001ba
9 changed files with 104 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/gssapi/krb5/release_cred.c
View File

@@ -54,6 +54,7 @@ OM_uint32 GSSAPI_CALLCONV _gsskrb5_release_cred
HEIMDAL_MUTEX_lock(&cred->cred_id_mutex);
free(cred->destination_realm);
if (cred->principal != NULL)
krb5_free_principal(context, cred->principal);
if (cred->keytab != NULL)