>For AFS, the problem is made somewhat worse by the fact that we construct >usernames by concatenating the V4 name and instance with a dot, but only >when the instance has non-zero length. This behavior depends on the >premise that a V4 principal name will never contain a ".". While krb524d >is broken and does not enforce this restriction, the V5 ticket handling >code in rxkad does. The reasoning is the same as above -- mapping multiple >distinct V5 principals to the same AFS username could result in all sort of >nasty security problems.
This is going to be my last message on this topic, honest. - Clearly neither of the two open-source Kerberos implementations consider this a security problem, as they do not perform this checking. If it was a "nasty security problem", we'd see CERT warnings issued and patches to correct the problem. - This could only conceivably be an issue if you allow users to create arbitrary principal names. I know that CMU allows users to create arbitrary instances for some strange reason, but even you have to admit that this is a rather uncommon practice. For sites that don't allow users to create arbitrary principals, the only thing this check accomplishes is that it breaks things for V5 sites that have created principals with "." in their names (it doesn't even do a mapping to something else; it just silently rejects them!) --Ken _______________________________________________ OpenAFS-devel mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-devel
