[Heimdal-source-changes] [heimdal/heimdal] 78a1a3: Optional backwards-compatible anon-pkinit behaviour
Viktor Dukhovni
noreply at github.com
Ons Sep 4 01:30:49 CEST 2019
Branch: refs/heads/heimdal-7-1-branch
Home: https://github.com/heimdal/heimdal
Commit: 78a1a3d66a825a84c6b2275b359355557760b542
https://github.com/heimdal/heimdal/commit/78a1a3d66a825a84c6b2275b359355557760b542
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2019-09-03 (Tue, 03 Sep 2019)
Changed paths:
M kdc/default_config.c
M kdc/kdc.8
M kdc/kdc.h
M kdc/kerberos5.c
M kdc/pkinit.c
M kuser/kinit.1
M kuser/kinit.c
M lib/krb5/krb5.conf.5
M lib/krb5/krb5.h
M lib/krb5/principal.c
M lib/krb5/ticket.c
Log Message:
-----------
Optional backwards-compatible anon-pkinit behaviour
* Anonymous pkinit responses from the KDC where the name
type is not well-known (as issued by 7.5 KDCs and earlier)
are accepted by the client. There is no need for the client
to strictly enforce the name type.
* With historical_anon_pkinit = true, the kinit(1) client's
"--anonymous" option only performs anon pkinit, and does
not require an '@' prefix for the realm argument.
* With historical_anon_realm = true, the KDC issues anon
pkinit tickets with the legacy pre-7.0 "real" realm.
More information about the Heimdal-source-changes
mailing list