RFR 8022582: Relax response flags checking in sun.security.krb5.KrbKdcRep.check.

Sean Mullan sean.mullan at oracle.com
Mon Jan 26 15:33:11 UTC 2015


Typo on line 941 of KDC.java: s/senstives/sensitives

Also the OS component of the bug is set to "solaris_10", which doesn't 
seem right.

Looks ok otherwise.

--Sean

On 01/14/2015 11:10 PM, Wang Weijun wrote:
> Hi All
>
> Please review the code changes at
>
>    http://cr.openjdk.java.net/~weijun/8022582/webrev.00
>
> Sometimes a forwardable ticket request is sent but KDC returns a non-forwardable one. For example, in Windows, an account can be set as "sensitive and cannot be delegated". While it's possible to remove the "forwardable=true" line in krb5.conf to avoid the check failure, the file is global and maybe another account wants to be delegated. Therefore we just to relax the forwardable check.
>
> KrbTgsReq is also modified so that one can get a service ticket when TGT is not forwardable.
>
> One special case is S4U2self request, both the existing ticket and the expected ticket must be forwardable, and we fail early if one is not.
>
> A new test simulates the "sensitive account" concept in Windows.
>
> Thanks
> Max
>



More information about the security-dev mailing list