Closed joakim-tjernlund closed 2 years ago
Tuurtje
commented
3 years ago I added that hardcoded line. And it would be nicer to have in a configuration file.
In normal situations you would always split the CA function and the CEP/CES function and kerberos delegation is needed. In non-production environments you could combine the roles and delegation wouldn't be needed.
Feel free to update the code and create a pull request.
Arthur
joakim-tjernlund
commented
3 years ago I do not speak python so no PR from me :( Does CVE-2020-17049 has any bearing on cepces w.r.t delegation ?
dmulder
commented
2 years ago @Tuurtje and @joakim-tjernlund I'll look at adding a configuration option for this.
dmulder
commented
2 years ago Does CVE-2020-17049 has any bearing on cepces w.r.t delegation ?
CVE-2020-17049 was fixed by causing the KDC to sign tickets in a S4U2self exchange (and the signature is in the PAC, and protected from alternation). Later, in an S4U2proxy exchange (during delegation), the KDC validates that signature to ensure the service didn't modify the ticket (flipping the forwardable bit). Since CVE-2020-17049 is fixed by taking extra precautions in the KDC, it isn't really relevant here.
dmulder
commented
2 years ago @joakim-tjernlund would you be able to test the changes in mr #7?
In commit https://github.com/openSUSE/cepces/commit/ec43940de38e3b23192552ecc185476937013e8e delegate=True is hardcoded. I wonder if that sensible choice for everyone? Perhaps a config knob instead?