better realm transit path checking for app server

transit path checking enforcement for kdc; supporting code, doc update
[merged from 1.2.3 release branch]

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13758 dc483132-0cff-0310-8789-dd5450dbe970

3 files changed, 38 insertions, 1 deletions

diff --git a/doc/ChangeLog b/doc/ChangeLog
index d85ad08497..4591171e2e 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,8 @@
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* admin.texinfo (realms (kdc.conf)): Add description of
+	reject_bad_transit realm option.
+
 2001-06-26  Ezra Peisach  <epeisach@mit.edu>
 
 	* user-guide.texinfo, install.texinfo: Cleanup makeinfo warning of
diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 77d066ab09..fea52d4818 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -928,6 +928,38 @@ List of key:salt strings.  Specifies the permitted key/salt combinations
 of principals for this realm.  You should set this tag to
 @samp{des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4}.
 
+@itemx reject_bad_transit
+A boolean value (@code{true}, @code{false}).  If set to @code{true}, the
+KDC will check the list of transited realms for cross-realm tickets
+against the transit path computed from the realm names and the
+@code{capaths} section of its @code{krb5.conf} file; if the path in the
+ticket to be issued contains any realms not in the computed path, the
+ticket will not be issued, and an error will be returned to the client
+instead.  If this value is set to @code{false}, such tickets will be
+issued anyways, and it will be left up to the application server to
+validate the realm transit path.
+
+If the @code{disable-transited-check} flag is set in the incoming
+request, this check is not performed at all.  Having the
+@code{reject_bad_transit} option will cause such ticket requests to be
+rejected always.
+
+This transit path checking and config file option currently apply only
+to TGS requests.
+
+Earlier versions of the MIT release (before 1.2.3) had bugs in the
+application server support such that the server-side checks may not be
+performed correctly.  We recommend turning this option on, unless you
+know that all application servers in this realm have been updated to
+fixed versions of the software, and for whatever reason, you don't want
+the KDC to do the validation.
+
+This is a per-realm option so that multiple-realm KDCs may control it
+separately for each realm, in case (for example) one realm has had the
+software on its application servers updated but another has not.
+
+This option defaults to @code{true}.
+
 @end table
 
 @node Sample kdc.conf File,  , realms (kdc.conf), kdc.conf
diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo
index 83fe7ef650..355cad1a8a 100644
--- a/doc/copyright.texinfo
+++ b/doc/copyright.texinfo
@@ -1,4 +1,4 @@
-Copyright @copyright{} 1985-2000 by the Massachusetts Institute of Technology. 
+Copyright @copyright{} 1985-2001 by the Massachusetts Institute of Technology. 
 
 @quotation  
 Export of software employing encryption from the United States of