Re: Tickets with instance names.

[Mats Erik Andersson]

torsdag den  9 augusti 2012 klockan 23:14 skrev Simon Josefsson detta:
> Mats Erik Andersson <address@hidden> writes:
> 
> > Hello again,
> >
> > I am not sure whether the following is due to my lack of
> > understanding the matter at hand, or wether there is a
> > incompleteness on behalf of libshishi.
> >
> > I have created an administrator
> >
> >     # shisa -a --password LOCALHOST sigge/admin
> >
> > Then I request a TGT in my administrator role:
> >
> >     $ shishi sigge/address@hidden
> >
> > This fails due to SHISHI_CNAME_MISMATCH. In fact,
> >
> >     AS-REQ:  "req-body.cname.name-string" -> { "sigge", "admin" }
> >
> > is of componen length 2, whereas
> >
> >     AS-REP:  "cname.name-string" -> { "sigge/admin" }
> >
> > is of component length 1. Thus shishi_as_check_cname() fails
> > immediately.
> >
> > Am I incorrect in believing that AS-REP was built from incorrect
> > data, since the name string is not split into name proper and
> > instance name?
> 
> Yes.  The code parsing sigge/admin should probably have splitted that
> into two components.  Is that a Shishi KDC?  It sounds like a bug.

Client and server built from GNU Inetutils development head,
so libshishi is incomplete here. A quick search reveals that
"lib/encticketpart.c" and "lib/kdc.c" are accessing the ASN.1
descriptor "sname.name-string", so presumably either of these
files could be cheating.

Regards,

  Mats