#1396 Kerberos validation algorithm is insufficient for cross-realm trusts
Closed: Fixed None Opened 7 years ago by sgallagh.

Currently, when we validate a TGT against the host keytab, we iterate through the keytab until we find a realm that matches the realm of the principal in the TGT. When a matching realm is found, we validate against it.

However, with cross-realm trusts, it is possible to receive a TGT for a realm not in the keytab, but that could still be validated by the keytab realm.

We need to modify the algorithm so that it will attempt to evaluate once for each realm in the keytab (skipping multiple enctypes) in case any of them work.

This proposal needs to be carefully evaluated for security exploits as well.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0
priority: major => critical
rhbz: => 0
type: enhancement => defect

Fields changed

milestone: SSSD 1.9.0 => SSSD 1.9.0 RC1

Fields changed

owner: somebody => sbose
proposed_priority: => Undefined

Fixed in d29a9e0

resolution: => fixed
status: new => closed

Metadata Update from @sgallagh:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.0 beta 7

2 years ago

Login to comment on this ticket.