Hi,

Can you please bump your dependency on timfel-krb5-auth to the latest version? There has been a patch which resolves an issue when building timfel-krb5-auth on some systems. Version 0.8.3 resolves this issue.

Thanks!

As the MIT Kerberos docs say

Whenever a program grants access to a resource (such as a local login session on a desktop computer) based on a user successfully getting initial Kerberos credentials, it must verify those credentials against a secure shared secret (e.g., a host keytab) to ensure that the user credentials actually originate from a legitimate KDC. Failure to perform this verification is a critical vulnerability, because a malicious user can execute the “Zanarotti attack”: the user constructs a fake response that appears to come from the legitimate KDC, but whose contents come from an attacker-controlled KDC.

In other words: since omniauth-kerberos does not provide any way to verify the providence of the user credentials, it is vulnerable to spoofing the KDC.

Hi,
I am packaging omniauth-kerberos for Debian, as part of GitLab packaging. I saw that you have added some tests (thanks for those, btw) after the last release. Can you cut a new release with these tests included? It would be a great help.

Thanks