[Heimdal-source-changes] [heimdal/heimdal] 979355: kdc: allow checksum of PA-FOR-USER to be HMAC_MD5
Isaac Boukris
noreply at github.com
Mon May 20 14:30:26 CEST 2019
Branch: refs/heads/heimdal-7-1-branch
Home: https://github.com/heimdal/heimdal
Commit: 9793551bb919d0dc6b41d9d6b80356f44d82ac9e
https://github.com/heimdal/heimdal/commit/9793551bb919d0dc6b41d9d6b80356f44d82ac9e
Author: Isaac Boukris <iboukris at gmail.com>
Date: 2019-05-20 (Mon, 20 May 2019)
Changed paths:
M kdc/krb5tgs.c
M lib/krb5/libkrb5-exports.def.in
M lib/krb5/version-script.map
M tests/kdc/check-kdc.in
Log Message:
-----------
kdc: allow checksum of PA-FOR-USER to be HMAC_MD5
even if tgt used an enctype with a different checksum.
Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
Back ported from master, commit:
b7fe0fb85a780fed3c54ed2539fc974db1884dc2
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
More information about the Heimdal-source-changes
mailing list