[Heimdal-source-changes] [heimdal/heimdal] 625eb2: kdc: use actual client princ for KRB5SignedPath

Isaac Boukris noreply at github.com
Sön May 19 05:23:43 CEST 2019 

  Branch: refs/heads/jaltman/heimdal-7.6-fixes
  Home:   https://github.com/heimdal/heimdal
  Commit: 625eb27347e0bbb4d2a617b0a5f9ec336c791e08
      https://github.com/heimdal/heimdal/commit/625eb27347e0bbb4d2a617b0a5f9ec336c791e08
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kdc/kerberos5.c
    M kdc/krb5tgs.c

  Log Message:
  -----------
  kdc: use actual client princ for KRB5SignedPath

When generating KRB5SignedPath in the AS, use the reply client name rather than
the one from the request, so validation will work correctly in the TGS.

(cherry picked from commit c634146b14be9746d70d6a448e9bb2dd6f518c44)


  Commit: 3d72b44772bce5d0139d7bc8672834ac8bab6f46
      https://github.com/heimdal/heimdal/commit/3d72b44772bce5d0139d7bc8672834ac8bab6f46
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/init_creds.c
    M lib/krb5/krb5_locl.h
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: don't require krbtgt otherName match for Win2K

Merged from Apple branch: when the Win2K PKINIT compatibility option is set, do
not require krbtgt otherName to match when validating KDC certificate.

(cherry picked from commit 8350f34a05ba2cbc1ead0214eb85352f8e7805ef)


  Commit: 6116640a18d049accb0217cf319e10416daa2190
      https://github.com/heimdal/heimdal/commit/6116640a18d049accb0217cf319e10416daa2190
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M lib/krb5/pkinit.c

  Log Message:
  -----------
  krb5: set PKINIT_BTMM flag per Apple implementation

(cherry picked from commit fd209c5dca89e599f24a853cc9e9a55dc2d04f4c)


  Commit: 4f864fb74442882b879f5fad1630049d0c2fbc28
      https://github.com/heimdal/heimdal/commit/4f864fb74442882b879f5fad1630049d0c2fbc28
  Author: Luke Howard <lukeh at padl.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kuser/klist.c

  Log Message:
  -----------
  klist: display all known flags when listing tickets

Show transited-policy-checked, ok-as-delegate and anonymous flags when listing
credentials.

(cherry picked from commit a7bb4504f2f3dfb276f8aa154858f46ed1063011)


  Commit: 17c7042bce2e578cf1bad01b6aacef0f84fd210a
      https://github.com/heimdal/heimdal/commit/17c7042bce2e578cf1bad01b6aacef0f84fd210a
  Author: Isaac Boukris <iboukris at gmail.com>
  Date:   2019-05-18 (Sat, 18 May 2019)

  Changed paths:
    M kdc/krb5tgs.c
    M lib/krb5/libkrb5-exports.def.in
    M lib/krb5/version-script.map
    M tests/kdc/check-kdc.in

  Log Message:
  -----------
  kdc: allow checksum of PA-FOR-USER to be HMAC_MD5

even if tgt used an enctype with a different checksum.

Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.

In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.

Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.

Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.

Signed-off-by: Isaac Boukris <iboukris at gmail.com>
(cherry picked from commit b7fe0fb85a780fed3c54ed2539fc974db1884dc2)


Compare: https://github.com/heimdal/heimdal/compare/625eb27347e0%5E...17c7042bce2e

More information about the Heimdal-source-changes mailing list