[OpenAFS-devel] Minimum autoconf version
Ken Hornstein
kenh@cmf.nrl.navy.mil
Tue, 05 Jul 2005 10:38:38 -0400
>This doesn't fix the problem. This opens the security hole for aklog
>with krb5 tickets as well. The problem is that there is no way to
>distiguish between two krb5 principals;
>
> user.admin@REALM
> user/admin@REALM
>
>Two identities in Kerberos should not be treated as the same identity in
>AFS.
This code here is ONLY for aklog's client-side PTS lookup, which really
exists for two reasons:
- Historical (this is the "ID xxxx" output in tokens), which apparantly is
only used by some components of the Andrew Mail System.
- Determining if the cross-realm PTS entry needs to be created.
It doesn't affect the contents of the Kerberos ticket, which is the only
thing that matters in terms of security. There is no security hole in
aklog (let me rephrase that: _this_ is not a security hole in aklog).
And didn't we already have this discussion six months ago? The reality
is that the Kerberos 524 daemon has been happily mapping V5 principals
with a "." in them SINCE DAY ONE, and OpenAFS is the one that
arbitrarily rejects V5 principals with a "." in them.
--Ken