>I looked at the Apple fork of Heimdal and didn't find any obvious code >change to honor ok-as-delegate by default. In fact, it doesn't even >implement enforce_ok_as_delegate. But both versions do implement a >ccache config setting called "realm-config" and enforce ok-as-delegate >if the 1 bit is set in the first byte of the value. Nothing in Heimdal >or Apple's fork of it sets realm-config, but the macOS native ccache >implementation or login system might do so.
You missed this code in kuser/kinit.c: if (ok_as_delegate_flag || windows_flag || use_referrals_flag) { unsigned char d = 0; krb5_data data; if (ok_as_delegate_flag || windows_flag) d |= 1; if (use_referrals_flag || windows_flag) d |= 2; data.length = 1; data.data = &d; krb5_cc_set_config(context, ccache, NULL, "realm-config", &data); } However, if I run "kinit --ok-as-delegate" in my MIT-based realm, using the MacOS X ssh client, "ssh -K foo'" still delegates a credential fine, so something else is clearly going on. --Ken ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos