Sergio Gelato <[EMAIL PROTECTED]> writes:
> Looking at the source code, the problem appears to be that
> pamk5_password_auth() (in support.c) blindly sets the "forwardable"
> request flag even when the requested principal is kadmin/changepw.
> Maybe the code in support.c that sets ticket options needs to be wrapped
> in an
> if (in_tkt_service == NULL) {
> }
> block? See the comment that says "the only interesting non-null case is
> kadmin/changepw for changing passwords".
Good analysis. Thank you! The problem was specifically with realms that
set additional restrictions on the types of tickets that can be generated
for kadmin/changepw and since my local realm doesn't do that (although it
probably should), I didn't notice this problem.
I don't want to completely skip getting default ticket flags from
krb5.conf on Heimdal because that may be where we're getting settings that
do matter for kpasswd, such as ticket addresses. Looking at both the MIT
Kerberos and Heimdal source, it appears that clearing forwardable and
proxiable and setting a renew lifetime of 0 will be sufficient.
This is fixed in pam-krb5 3.6, which I plan on releasing later tonight.
--
Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
