[Heimdal-source-changes] [heimdal/heimdal] c62322: kdc: perform AS-REQ canonicalization in kdc

[GitHub]

  Branch: refs/heads/master
  Home:   https://github.com/heimdal/heimdal
  Commit: c6232299c3b2831d5d8ecf701fcd286ae509fba8
      https://github.com/heimdal/heimdal/commit/c6232299c3b2831d5d8ecf701fcd286ae509fba8
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-01-05 (Sat, 05 Jan 2019)

  Changed paths:
    M kdc/kerberos5.c
    M lib/hdb/common.c

  Log Message:
  -----------
  kdc: perform AS-REQ canonicalization in kdc

Mirroring the logic recently introduced in the TGS, this patch modifies the KDC
to perform client and server canonicalization itself rather than relying on the
backend to do so. Per RFC 6806, the behavior is slightly different for the AS
in that the setting of the canonicalize flag in the AS-REQ does impact the
returned names in the ticket. In order to support realm canonicalization or
other custom behavior, we allow the backend to force the KDC to canonicalize by
setting the force-canonicalize flag in the returned client or server entries.


  Commit: 1b7e196e6608816d18ed81c6fff0383263877478
      https://github.com/heimdal/heimdal/commit/1b7e196e6608816d18ed81c6fff0383263877478
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-01-05 (Sat, 05 Jan 2019)

  Changed paths:
    M kdc/kerberos5.c
    M lib/hdb/common.c

  Log Message:
  -----------
  kdc: move more name canonicalization logic to KDC

Enterprise principal client names in AS-REQs should always be canonicalized
irrespective of the setting the canonicalize KDC option. Perform this check in
the KDC rather than HDB.

Do not set the HDB_F_GET_KRBTGT flag unless the client actually requested a TGS
principal.


Compare: https://github.com/heimdal/heimdal/compare/6bb8eaca2052...1b7e196e6608
      **NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/

      Functionality will be removed from GitHub.com on January 31st, 2019.