Thank you. This was a useful discussion for me. On Wed, Jul 28, 2021 at 4:36 PM Isaac Boukris <ibouk...@gmail.com> wrote:
> On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1...@gmail.com> > wrote: > > > > Now we know that behavior is unified and S4U2Self ticket should be > forwardable to avoid vulnerability, i think we can add a check in MIT > Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if > ticket is not forwardable it will fail in client itself. > > > > I can see that JDK has this check: > > > https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java > -> line 105 > > MIT used to have that as well before RBCD was added, although I don't > think this was ever necessary, as that check should be done in the > KDC. Also disabling NonForwardableDelegation can be a valid usage when > relying on SIDs and not using protected-group, as in the original RBCD > design: > > > https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md > -- Regards, Vipul ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
