On 4/30/24 12:49, Ken Hornstein via Kerberos wrote:
First off, I would advise you to NOT look at upstream Heimdal, because that's not helpful because it's not actually the code in question. Instead maybe look at the actual Heimdal source code used on MacOS X?
To expand on this: the Apple forks of open-source projects are available at opensource.apple.com, and at https://github.com/apple-oss-distributions (not sure if the latter is official or community-maintained).
I looked at the Apple fork of Heimdal and didn't find any obvious code change to honor ok-as-delegate by default. In fact, it doesn't even implement enforce_ok_as_delegate. But both versions do implement a ccache config setting called "realm-config" and enforce ok-as-delegate if the 1 bit is set in the first byte of the value. Nothing in Heimdal or Apple's fork of it sets realm-config, but the macOS native ccache implementation or login system might do so. James could perhaps this test theory by setting KRB5CCNAME to FILE:something, running kinit -f, and seeing if ssh will forward those tickets.
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
