>I looked at the Apple fork of Heimdal and didn't find any obvious code
>change to honor ok-as-delegate by default. In fact, it doesn't even
>implement enforce_ok_as_delegate. But both versions do implement a
>ccache config setting called "realm-config" and enforce ok-as-delegate
>if the 1 bit is set in the first byte of the value. Nothing in Heimdal
>or Apple's fork of it sets realm-config, but the macOS native ccache
>implementation or login system might do so.
You missed this code in kuser/kinit.c:
if (ok_as_delegate_flag || windows_flag || use_referrals_flag) {
unsigned char d = 0;
krb5_data data;
if (ok_as_delegate_flag || windows_flag)
d |= 1;
if (use_referrals_flag || windows_flag)
d |= 2;
data.length = 1;
data.data = &d;
krb5_cc_set_config(context, ccache, NULL, "realm-config", &data);
}
However, if I run "kinit --ok-as-delegate" in my MIT-based realm, using
the MacOS X ssh client, "ssh -K foo'" still delegates a credential fine,
so something else is clearly going on.
--Ken
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
