[Heimdal-source-changes] [heimdal/heimdal] 625eb2: kdc: use actual client princ for KRB5SignedPath
Isaac Boukris
noreply at github.com
Sön May 19 05:23:43 CEST 2019
Branch: refs/heads/jaltman/heimdal-7.6-fixes
Home: https://github.com/heimdal/heimdal
Commit: 625eb27347e0bbb4d2a617b0a5f9ec336c791e08
https://github.com/heimdal/heimdal/commit/625eb27347e0bbb4d2a617b0a5f9ec336c791e08
Author: Luke Howard <lukeh at padl.com>
Date: 2019-05-18 (Sat, 18 May 2019)
Changed paths:
M kdc/kerberos5.c
M kdc/krb5tgs.c
Log Message:
-----------
kdc: use actual client princ for KRB5SignedPath
When generating KRB5SignedPath in the AS, use the reply client name rather than
the one from the request, so validation will work correctly in the TGS.
(cherry picked from commit c634146b14be9746d70d6a448e9bb2dd6f518c44)
Commit: 3d72b44772bce5d0139d7bc8672834ac8bab6f46
https://github.com/heimdal/heimdal/commit/3d72b44772bce5d0139d7bc8672834ac8bab6f46
Author: Luke Howard <lukeh at padl.com>
Date: 2019-05-18 (Sat, 18 May 2019)
Changed paths:
M lib/krb5/init_creds.c
M lib/krb5/krb5_locl.h
M lib/krb5/pkinit.c
Log Message:
-----------
krb5: don't require krbtgt otherName match for Win2K
Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC certificate.
(cherry picked from commit 8350f34a05ba2cbc1ead0214eb85352f8e7805ef)
Commit: 6116640a18d049accb0217cf319e10416daa2190
https://github.com/heimdal/heimdal/commit/6116640a18d049accb0217cf319e10416daa2190
Author: Luke Howard <lukeh at padl.com>
Date: 2019-05-18 (Sat, 18 May 2019)
Changed paths:
M lib/krb5/pkinit.c
Log Message:
-----------
krb5: set PKINIT_BTMM flag per Apple implementation
(cherry picked from commit fd209c5dca89e599f24a853cc9e9a55dc2d04f4c)
Commit: 4f864fb74442882b879f5fad1630049d0c2fbc28
https://github.com/heimdal/heimdal/commit/4f864fb74442882b879f5fad1630049d0c2fbc28
Author: Luke Howard <lukeh at padl.com>
Date: 2019-05-18 (Sat, 18 May 2019)
Changed paths:
M kuser/klist.c
Log Message:
-----------
klist: display all known flags when listing tickets
Show transited-policy-checked, ok-as-delegate and anonymous flags when listing
credentials.
(cherry picked from commit a7bb4504f2f3dfb276f8aa154858f46ed1063011)
Commit: 17c7042bce2e578cf1bad01b6aacef0f84fd210a
https://github.com/heimdal/heimdal/commit/17c7042bce2e578cf1bad01b6aacef0f84fd210a
Author: Isaac Boukris <iboukris at gmail.com>
Date: 2019-05-18 (Sat, 18 May 2019)
Changed paths:
M kdc/krb5tgs.c
M lib/krb5/libkrb5-exports.def.in
M lib/krb5/version-script.map
M tests/kdc/check-kdc.in
Log Message:
-----------
kdc: allow checksum of PA-FOR-USER to be HMAC_MD5
even if tgt used an enctype with a different checksum.
Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
(cherry picked from commit b7fe0fb85a780fed3c54ed2539fc974db1884dc2)
Compare: https://github.com/heimdal/heimdal/compare/625eb27347e0%5E...17c7042bce2e
More information about the Heimdal-source-changes
mailing list