#define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0)
#define KRB5_VERIFY_AP_REQ_IGNORE_ADDRS (1 << 1)
+#define KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK (1 << 2)
#define KRB5_GC_CACHED (1U << 0)
#define KRB5_GC_USER_USER (1U << 1)
{
krb5_timestamp now;
time_t start = t.authtime;
+ krb5_boolean skip_transit_check = FALSE;
krb5_timeofday (context, &now);
if(t.starttime)
return KRB5KRB_AP_ERR_TKT_EXPIRED;
}
- if(!t.flags.transited_policy_checked) {
+ if(t.flags.transited_policy_checked) {
+ skip_transit_check = TRUE;
+ } else if(flags & KRB5_VERIFY_AP_REQ_SKIP_TRANSITED_CHECK) {
+ skip_transit_check = TRUE;
+ } else {
+ skip_transit_check = krb5_config_get_bool_default(context,
+ NULL,
+ FALSE,
+ "libdefaults",
+ "acceptor_skip_transit_check",
+ NULL);
+ }
+
+ if (!skip_transit_check) {
ret = check_transited(context, ticket, &t);
if(ret) {
free_EncTicketPart(&t);