[Heimdal-source-changes] [heimdal/heimdal] fae8df: Optional backwards-compatible anon-pkinit behaviour
Viktor Dukhovni
noreply at github.com
Tors Sep 5 00:00:17 CEST 2019
Branch: refs/heads/master
Home: https://github.com/heimdal/heimdal
Commit: fae8df383961a4843a832ec7bf49443be5518202
https://github.com/heimdal/heimdal/commit/fae8df383961a4843a832ec7bf49443be5518202
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: 2019-09-04 (Wed, 04 Sep 2019)
Changed paths:
M kdc/default_config.c
M kdc/kdc.8
M kdc/kdc.h
M kdc/kerberos5.c
M kdc/pkinit.c
M kuser/kinit.1
M kuser/kinit.c
M lib/krb5/krb5.conf.5
M lib/krb5/krb5.h
M lib/krb5/principal.c
M lib/krb5/ticket.c
Log Message:
-----------
Optional backwards-compatible anon-pkinit behaviour
* Anonymous pkinit responses from the KDC where the name
type is not well-known (as issued by 7.5 KDCs and earlier)
are accepted by the client. There is no need for the client
to strictly enforce the name type.
* With historical_anon_pkinit = true, the kinit(1) client's
"--anonymous" option only performs anon pkinit, and does
not require an '@' prefix for the realm argument.
* With historical_anon_realm = true, the KDC issues anon
pkinit tickets with the legacy pre-7.0 "real" realm.
More information about the Heimdal-source-changes
mailing list