diff options
author | Ken Raeburn <raeburn@mit.edu> | 2001-09-26 03:47:47 +0000 |
---|---|---|
committer | Ken Raeburn <raeburn@mit.edu> | 2001-09-26 03:47:47 +0000 |
commit | ed96414c30ce1f6bad4f0f1f22b6d2d8800cc008 (patch) | |
tree | 6c98a25e645cb611608a3a8ef3090c54fd71fdd1 /doc | |
parent | e5de98cc3e7d32615193b106ed4193bb532a6532 (diff) | |
download | krb5-ed96414c30ce1f6bad4f0f1f22b6d2d8800cc008.tar.gz krb5-ed96414c30ce1f6bad4f0f1f22b6d2d8800cc008.tar.xz krb5-ed96414c30ce1f6bad4f0f1f22b6d2d8800cc008.zip |
better realm transit path checking for app server
transit path checking enforcement for kdc; supporting code, doc update
[merged from 1.2.3 release branch]
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13758 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'doc')
-rw-r--r-- | doc/ChangeLog | 5 | ||||
-rw-r--r-- | doc/admin.texinfo | 32 | ||||
-rw-r--r-- | doc/copyright.texinfo | 2 |
3 files changed, 38 insertions, 1 deletions
diff --git a/doc/ChangeLog b/doc/ChangeLog index d85ad08497..4591171e2e 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,8 @@ +2001-09-25 Ken Raeburn <raeburn@mit.edu> + + * admin.texinfo (realms (kdc.conf)): Add description of + reject_bad_transit realm option. + 2001-06-26 Ezra Peisach <epeisach@mit.edu> * user-guide.texinfo, install.texinfo: Cleanup makeinfo warning of diff --git a/doc/admin.texinfo b/doc/admin.texinfo index 77d066ab09..fea52d4818 100644 --- a/doc/admin.texinfo +++ b/doc/admin.texinfo @@ -928,6 +928,38 @@ List of key:salt strings. Specifies the permitted key/salt combinations of principals for this realm. You should set this tag to @samp{des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4}. +@itemx reject_bad_transit +A boolean value (@code{true}, @code{false}). If set to @code{true}, the +KDC will check the list of transited realms for cross-realm tickets +against the transit path computed from the realm names and the +@code{capaths} section of its @code{krb5.conf} file; if the path in the +ticket to be issued contains any realms not in the computed path, the +ticket will not be issued, and an error will be returned to the client +instead. If this value is set to @code{false}, such tickets will be +issued anyways, and it will be left up to the application server to +validate the realm transit path. + +If the @code{disable-transited-check} flag is set in the incoming +request, this check is not performed at all. Having the +@code{reject_bad_transit} option will cause such ticket requests to be +rejected always. + +This transit path checking and config file option currently apply only +to TGS requests. + +Earlier versions of the MIT release (before 1.2.3) had bugs in the +application server support such that the server-side checks may not be +performed correctly. We recommend turning this option on, unless you +know that all application servers in this realm have been updated to +fixed versions of the software, and for whatever reason, you don't want +the KDC to do the validation. + +This is a per-realm option so that multiple-realm KDCs may control it +separately for each realm, in case (for example) one realm has had the +software on its application servers updated but another has not. + +This option defaults to @code{true}. + @end table @node Sample kdc.conf File, , realms (kdc.conf), kdc.conf diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo index 83fe7ef650..355cad1a8a 100644 --- a/doc/copyright.texinfo +++ b/doc/copyright.texinfo @@ -1,4 +1,4 @@ -Copyright @copyright{} 1985-2000 by the Massachusetts Institute of Technology. +Copyright @copyright{} 1985-2001 by the Massachusetts Institute of Technology. @quotation Export of software employing encryption from the United States of |