On Wed, Jul 28, 2021 at 1:46 PM Vipul Mehta <vipulmehta.1...@gmail.com> wrote: > > Now we know that behavior is unified and S4U2Self ticket should be > forwardable to avoid vulnerability, i think we can add a check in MIT > Kerberos API itself such that before sending S4U2Proxy TGS-REQ to KDC, if > ticket is not forwardable it will fail in client itself. > > I can see that JDK has this check: > https://github.com/openjdk/jdk/blob/739769c8fc4b496f08a92225a12d07414537b6c0/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java > -> line 105
MIT used to have that as well before RBCD was added, although I don't think this was ever necessary, as that check should be done in the KDC. Also disabling NonForwardableDelegation can be a valid usage when relying on SIDs and not using protected-group, as in the original RBCD design: https://github.com/MicrosoftDocs/windowsserverdocs/blob/master/WindowsServerDocs/security/kerberos/kerberos-constrained-delegation-overview.md ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos