Post by Rick van ReinThe hostaddresses are OPTIONAL, so I would have expected the array pointer (so the **) to be NULL when no host addresses are present in the krb5_creds structure. However, when using "kinit -A" to login, I do find an array but its first element is NULL.
(kinit -A is normally the default, right?)
Most of the time, your instinct is correct; in Kerberos ASN.1 objects,
sequences like this are usually optional but non-empty when present, and
the corresponding MIT krb5 C structures contain a NULL pointer when the
sequence is absent. For instance, EncTicketPart contains the field
"caddr [9] HostAddresses OPTIONAL", where HostAddresses has the comment
"HostAddresses is always used as an OPTIONAL field and should not be
empty." And in a krb5_enc_tkt_part object, the caddrs field will be
NULL if no address restrictions are present in the ticket.
However, the krb5_creds type is marshalled to and from ccache files
using a different subsystem, and the unmarshalling code always creates
an array for the addresses and authdata fields. This is a historical
inconsistency, which there probably isn't much benefit in fixing.
Post by Rick van ReinNormally I would have assumed that a list is prescribing, unless absent. But it seems that the empty list is an exception, and treated as a carte blanche re. host addresses.
Enforcement of address restrictions isn't done using a krb5_creds
object. When you acquire a ticket, the KDC tells the client what
address restrictions are present in the ticket for the client's
information, and the client notes that in the krb5_creds object that it
marshals out to the ccache. That information can be shown with klist
-a, but otherwise isn't used (as far as I know).
_______________________________________________
krbdev mailing list ***@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev