[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
heimdal 0.6.[34] ticket forwarding or GSSAPI delegation, ticketshave wrong address
I first noticed this with OpenSSH 4.0p1, but while going through various
recompiles to fix other problems and upgrading to Heimdal 0.6.4 I
discovered that it was in fact happening with all ticket forwarding and
not just GSSAPI credentials delegation.
Basically, if I forward tickets, either via krb5 or via GSSAPI, the
forwarded tickets have the originating host's address instead of the
target system's address, making them quite useless. See the attached
sample (typescript from "telnet -F").
Is this really how it's supposed to work? Do we need to acquire
addressless tickets to do this?
--
brandon s. allbery [linux,solaris,freebsd,perl] allbery@kf8nh.com
system administrator [WAY too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon univ. KF8NH
Script started on Wed May 04 09:08:38 2005
$ kauth
opr@ECE.CMU.EDU's Password:
$ klist -v
Credentials cache: FILE:/tmp/krb5cc_Z25372
Principal: opr@ECE.CMU.EDU
Cache version: 4
Server: krbtgt/ECE.CMU.EDU@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 8
Auth time: May 4 09:08:45 2005
End time: May 5 10:08:44 2005
Renew till: Jun 3 09:08:44 2005
Ticket flags: forwardable, renewable, initial
Addresses: IPv4:128.2.136.133
Server: afs@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 3
Auth time: May 4 09:08:45 2005
End time: May 5 10:08:44 2005
Ticket flags: forwardable, transited-policy-checked
Addresses: IPv4:128.2.136.133
V4-ticket file: /tmp/tkt42
Principal: opr@ECE.CMU.EDU
Issued Expires Principal (kvno)
May 4 09:08:45 May 5 10:35:06 krbtgt.ECE.CMU.EDU@ECE.CMU.EDU (8)
$ telnet -F tully.ece.cmu.edu
Trying 128.2.136.132...
Connected to tully.ece.cmu.edu.
Escape character is '^]'.
Waiting for encryption to be negotiated...
[ Trying mutual KERBEROS5 (host/tully.ece.cmu.edu@ECE.CMU.EDU)... ]
[ Kerberos V5 accepts you as ``opr@ECE.CMU.EDU'' ]
[ Kerberos V5 accepted forwarded credentials ]
Encryption negotiated.
Welcome to SuSE Linux 9.0 (i586) - Kernel %r (%t).
Have a lot of fun...
opr@tully:/usr/opr> klist -v
Credentials cache: FILE:/tmp/krb5cc_42
Principal: opr@ECE.CMU.EDU
Cache version: 4
Server: krbtgt/ECE.CMU.EDU@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 8
Auth time: May 4 09:08:45 2005
Start time: May 4 09:09:01 2005
End time: May 5 10:08:44 2005
Ticket flags: forwardable, transited-policy-checked
Addresses: IPv4:128.2.136.133
Server: afs@ECE.CMU.EDU
Ticket etype: des-cbc-crc, kvno 3
Auth time: May 4 09:08:45 2005
Start time: May 4 09:09:02 2005
End time: May 5 10:08:44 2005
Ticket flags: forwardable, transited-policy-checked
Addresses: IPv4:128.2.136.133
V4-ticket file: /tmp/tkt42
klist: No ticket file (tf_util)
opr@tully:/usr/opr> Connection closed by foreign host.
$
script done on Wed May 04 09:09:25 2005