Rocksolid Light

Welcome to novaBBS (click a section below)

mail  files  register  newsreader  groups  login

Message-ID:  

I am not an Economist. I am an honest man! -- Paul McCracken

devel / comp.protocols.kerberos / Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

SubjectAuthor
o Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions Greg Hudson

1
Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

<mailman.98.1714514521.2322.kerberos@mit.edu>

  copy mid

https://news.novabbs.com/devel/article-flat.php?id=550&group=comp.protocols.kerberos#550

  copy link   Newsgroups: comp.protocols.kerberos
Path: i2pn2.org!i2pn.org!news.quux.org!tncsrv06.tnetconsulting.net!.POSTED.mailman.mit.edu!not-for-mail
From: ghud...@mit.edu (Greg Hudson)
Newsgroups: comp.protocols.kerberos
Subject: Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol
Extensions flag?
Date: Tue, 30 Apr 2024 18:01:51 -0400
Organization: TNet Consulting
Lines: 19
Message-ID: <mailman.98.1714514521.2322.kerberos@mit.edu>
References: <CAEkxbZuz1h7Ef4N5nz3teb8vcTxTE6iBUZC+TYssUcayKHhXQQ@mail.gmail.com>
<202404152356.43FNu4Wj009470@hedwig.cmf.nrl.navy.mil>
<Zh3JEbB0IfDztgSQ@tamriel.snowman.net>
<CAEkxbZvn=3G3MVossM0aRC3pFd+JCX13ugUo6BwyKqaKtv--xg@mail.gmail.com>
<202404170130.43H1UpOg023445@hedwig.cmf.nrl.navy.mil>
<CAEkxbZupQObPrSC7PLvVV9+de8Pjj=d=dYRZWFvY3wMyUQPxMA@mail.gmail.com>
<202404301649.43UGnfNE028201@hedwig.cmf.nrl.navy.mil>
<992e2dea-dbd3-4f43-8b2a-7f4c8a6004c8@mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Injection-Info: tncsrv06.tnetconsulting.net; posting-host="mailman.mit.edu:18.7.21.50";
logging-data="15170"; mail-complaints-to="newsmaster@tnetconsulting.net"
User-Agent: Mozilla Thunderbird
Cc: kerberos@mit.edu
To: Ken Hornstein <kenh@cmf.nrl.navy.mil>, James Ralston <ralston@pobox.com>
DKIM-Filter: OpenDKIM Filter v2.11.0 unknown-host (unknown-jobid)
Authentication-Results: mailman.mit.edu;
dkim=pass (1024-bit key, unprotected) header.d=mit.edu header.i=@mit.edu
header.a=rsa-sha256 header.s=selector2 header.b=Bz2Ee+pL;
dkim=temperror header.d=mit.edu header.i=@mit.edu header.a=rsa-sha256
header.s=outgoing header.b=F9ZN8Wcl
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=P7t4sW17xZFPWRHbdutLMJ2oHqxLVmDV4fcJGp7+UZimmm44fRbG0UlEBNDF8CApdcvnrBNj2184lexlVo8LnKQ/w+gzuMlG/KEJSzSj+Y8hDvb59b/+ha2AlZOxNUGpTxPoZhtcPv02ay8lkyvKpiVMD6VJub+dZaU5Y/EJncWTyhRhrsKUo2ujfvJxcurF60SIZavCqpb/QzjeCYgQBDM1zBA7Zz6wJZYE/rqdEOS6GMSSrS6O2/swTER1Bv1ME6JXy57Vwigg1AA1nPR5r9AOtKFSJbSnRfRl8kw6S5CbTvRtiHxHkIaBsy+BY4BLaNJctlC47NWk6olLg+HCag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=gTDbVNxbowQcfPXgomEA9BMP+bsXUQ/fjVes3tlizlQ=;
b=WZShoyJJDeqO9rtdlMUL6BOPqyy1Ihbs9eIbOPh7JbTOyAy3FZJgOrUKb2XKNgto+LNRfwapDvea+yjuUHmKCXFIXetDZBCvMdGqaWh4WpIdcUBpSLzhc44uNQSIlNmmWqczbjphccTykkHuxnM5GJil6OXc2DLkpp+CIXWYjs9W5FWe/zM6NgbbZTv7eRHO+s2HeMPSH15XWrLqJVtivdHbRrai37cY+GBD2ATWo+mGqM0p1pAdnEP0SZlydO2v0O5VkVbKEWO/IP86yr1lOSRUpQbZr7xcNbVJF+zGLKh7HyeWf8cMreCMJYjjzrSsSMaOxQjoVCpQdiy0aVg49A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
18.9.28.11) smtp.rcpttodomain=mit.edu smtp.mailfrom=mit.edu; dmarc=pass
(p=none sp=none pct=100) action=none header.from=mit.edu; dkim=pass
(signature was verified) header.d=mit.edu; arc=none (0)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=gTDbVNxbowQcfPXgomEA9BMP+bsXUQ/fjVes3tlizlQ=;
b=Bz2Ee+pLfNgS7sFIUcih+KtnE/KoMmS2wEN3ht1i701n3K9FIYeQy/tZZ4mpUQWmBfoyAktpqn4POUpKG9Lib/dGs7tx+/EF5v+55KVJ/F3A9YjeRpXf7IGAHstEb+aydJ4ZAMgb2npk3raPu2cF7Mp/pYa9bpCFLw3pcwwzTj8=
Authentication-Results: spf=pass (sender IP is 18.9.28.11)
smtp.mailfrom=mit.edu; dkim=pass (signature was verified)
header.d=mit.edu;dmarc=pass action=none header.from=mit.edu;
Received-SPF: Pass (protection.outlook.com: domain of mit.edu designates
18.9.28.11 as permitted sender) receiver=protection.outlook.com;
client-ip=18.9.28.11; helo=outgoing.mit.edu; pr=C
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing;
t=1714514514; bh=gTDbVNxbowQcfPXgomEA9BMP+bsXUQ/fjVes3tlizlQ=;
h=Message-ID:Date:MIME-Version:Subject:From:Content-Type;
b=F9ZN8WclB427TGBDJWDQllFGKuQOsR8X23ehcyXSeiA/qjL0hJmERLIC6HYcTnjvg
Ra1IESZb/eQS2U5cC3/dWWx4cVVGc2aVlbRkpQGs9EjWNkHNMqTFnS2ijewCkfNV0h
jLfc/KPquvs89hoSrO/oWHdJ9O8waLu4+hytwMDdAdFUi5nODk14Q4UYsF6N3nTrdp
WrXn9DB3/ajMzF2w9vNMg+fGDj6nh4oqcVQlcHMifwHLcnxtgSsjaFMSj7YMhRzMX1
UuDUmoVbV7Wla6cNon4+YAOxrCOIqyKtd7DvAVAI8xRTswLRcTg9SanmLwYwQelNZc
GfzXSa4WGoJNQ==
Content-Language: en-US
In-Reply-To: <202404301649.43UGnfNE028201@hedwig.cmf.nrl.navy.mil>
X-EOPAttributedMessage: 0
X-EOPTenantAttributedMessage: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b:0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1PEPF000044F5:EE_|DM8PR01MB6872:EE_
X-MS-Office365-Filtering-Correlation-Id: 23352477-078f-4782-d56e-08dc696127c0
X-LD-Processed: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b,ExtAddr
X-MS-Exchange-AtpMessageProperties: SA
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|1800799015;
X-Microsoft-Antispam-Message-Info: Y7CJaxMFPitVoY8Jfvte/p4h3VXlNRpzaw0E1rt/2xkcrutxbdXabNM+1YinnH4EVAVPgnHzFNihikAowbFdpbVA3cvG2hJwkbvrVnW/iq+HEGMhg//Y1labw/eifHniOu9CvZ76CjAhCdsazmIghtWy49kl9Q/IdSir8galXMnvsYvt6W/kyZGU360dtTnBokfkp0zX6V+Y5CmX/VcLU8jf6QnLx8rzWgm0WIGFzlyLaoTBt2MSoc7xIQAWDVltSwB8+0OGggxKId8xNCNLUgtNMw5dus/c1R/C0eC43prGyhyWo49dxQ6pR4QGEE9bykZO9dnVyFZVTnfPL4Vr1iE+mZUOxX2vnlLwoaDR9RfWZr6Y6Z9QwJJPHWB38eN9UA64zHIEE07u66h/5TQp45st00X86EHP3u4J3Nk1PmcyxYbF1GIEGd7tccWmM6fOsFcHhKLrZmjymLEIlKDlBCKgP+ahp92NA4UdddnEQ1w5RcKkukRlLBMmB3X9QF2inHQXkvpJhPzJGuMRDrAMwLm5HebMBInSebavjSYi7XrLErASk9fbhPSKf5viwTkEJ/oEOB3GmLP2cbQhf8j0z9Xl5Us/X9EQyBM73cU3DMsBk6VpK+9NdH18qC7TvILMZ6NSeZ/w11Id9Vfnm0kTJIZKO7DyDR9PrYlyUflDgETwPV/5RYuUqPh6Zw8yZGqdfUeB8Wb+P0CQU7tQEyEfaG6s8r0Zq2aF3M6Uec7uBsrrYCwe4fbT+DPVQDHuiIaySyxdHRinIiWFuOs5QXZ+zemZl51saz6+9OfRgJEkvCY=
X-Forefront-Antispam-Report: CIP:18.9.28.11; CTRY:US; LANG:en; SCL:1; SRV:;
IPV:CAL; SFV:NSPM; H:outgoing.mit.edu; PTR:outgoing-auth-1.mit.edu; CAT:NONE;
SFS:(13230031)(376005)(1800799015); DIR:OUT; SFP:1102;
X-ExternalRecipientOutboundConnectors: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-Auto-Response-Suppress: DR, OOF, AutoReply
X-OriginatorOrg: mit.edu
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Apr 2024 22:01:57.4773 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: 23352477-078f-4782-d56e-08dc696127c0
X-MS-Exchange-CrossTenant-Id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-AuthSource: CO1PEPF000044F5.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM8PR01MB6872
X-BeenThere: kerberos@mit.edu
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: The Kerberos Authentication System Mailing List <kerberos.mit.edu>
List-Unsubscribe: <https://mailman.mit.edu/mailman/options/kerberos>,
<mailto:kerberos-request@mit.edu?subject=unsubscribe>
List-Archive: <http://mailman.mit.edu/pipermail/kerberos/>
List-Post: <mailto:kerberos@mit.edu>
List-Help: <mailto:kerberos-request@mit.edu?subject=help>
List-Subscribe: <https://mailman.mit.edu/mailman/listinfo/kerberos>,
<mailto:kerberos-request@mit.edu?subject=subscribe>
X-Mailman-Original-Message-ID: <992e2dea-dbd3-4f43-8b2a-7f4c8a6004c8@mit.edu>
X-Mailman-Original-References: <CAEkxbZuz1h7Ef4N5nz3teb8vcTxTE6iBUZC+TYssUcayKHhXQQ@mail.gmail.com>
<202404152356.43FNu4Wj009470@hedwig.cmf.nrl.navy.mil>
<Zh3JEbB0IfDztgSQ@tamriel.snowman.net>
<CAEkxbZvn=3G3MVossM0aRC3pFd+JCX13ugUo6BwyKqaKtv--xg@mail.gmail.com>
<202404170130.43H1UpOg023445@hedwig.cmf.nrl.navy.mil>
<CAEkxbZupQObPrSC7PLvVV9+de8Pjj=d=dYRZWFvY3wMyUQPxMA@mail.gmail.com>
<202404301649.43UGnfNE028201@hedwig.cmf.nrl.navy.mil>
 by: Greg Hudson - Tue, 30 Apr 2024 22:01 UTC

On 4/30/24 12:49, Ken Hornstein via Kerberos wrote:
> First off, I would advise you to NOT look at upstream Heimdal, because
> that's not helpful because it's not actually the code in question.
> Instead maybe look at the actual Heimdal source code used on MacOS X?

To expand on this: the Apple forks of open-source projects are available
at opensource.apple.com, and at
https://github.com/apple-oss-distributions (not sure if the latter is
official or community-maintained).

I looked at the Apple fork of Heimdal and didn't find any obvious code
change to honor ok-as-delegate by default. In fact, it doesn't even
implement enforce_ok_as_delegate. But both versions do implement a
ccache config setting called "realm-config" and enforce ok-as-delegate
if the 1 bit is set in the first byte of the value. Nothing in Heimdal
or Apple's fork of it sets realm-config, but the macOS native ccache
implementation or login system might do so. James could perhaps this
test theory by setting KRB5CCNAME to FILE:something, running kinit -f,
and seeing if ssh will forward those tickets.

devel / comp.protocols.kerberos / Re: honoring the TRUSTED_FOR_DELEGATION KDC MS-SFU Kerberos Protocol Extensions flag?

1
server_pubkey.txt

rocksolid light 0.9.81
clearnet tor