#1396 Kerberos validation algorithm is insufficient for cross-realm trusts
Closed: Fixed None Opened 10 years ago by sgallagh.

Currently, when we validate a TGT against the host keytab, we iterate through the keytab until we find a realm that matches the realm of the principal in the TGT. When a matching realm is found, we validate against it.

However, with cross-realm trusts, it is possible to receive a TGT for a realm not in the keytab, but that could still be validated by the keytab realm.

We need to modify the algorithm so that it will attempt to evaluate once for each realm in the keytab (skipping multiple enctypes) in case any of them work.

This proposal needs to be carefully evaluated for security exploits as well.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.0
priority: major => critical
rhbz: => 0
type: enhancement => defect

Fields changed

milestone: SSSD 1.9.0 => SSSD 1.9.0 RC1

Fields changed

owner: somebody => sbose
proposed_priority: => Undefined

Fixed in d29a9e0

resolution: => fixed
status: new => closed

Metadata Update from @sgallagh:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.0 beta 7

5 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2438

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.