git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Sat, 8 Jan 2022 03:41:30 +0000 (22:41 -0500)
committer	Greg Hudson <ghudson@mit.edu>
	Wed, 12 Jan 2022 18:28:07 +0000 (13:28 -0500)
commit	a441fbe329ebbd7775eb5d4ccc4a05eef370f08b
tree	ed56952614e5c72981d48d75398d33b2a7fffb05	tree
parent	c85894cfb784257a6acb4d77d8c75137d2508f5e	commit \| diff

Replace AD-SIGNEDPATH with minimal PACs

Remove all of the AD-SIGNEDPATH code.  Instead, issue a signed minimal
PAC in all tickets and require a valid PAC to be present in all
tickets presented for S4U operations.  Remove the get_authdata_info()
and sign_authdata() DAL methods, and add an issue_pac() method to
allow the KDB to add or copy buffers to the PAC.  Add a disable_pac
realm flag.

Microsoft revised the S4U2Proxy rules for forwardable tickets.  All
S4U2Proxy operations require forwardable evidence tickets, but
S4U2Self should issue a forwardable ticket if the requesting service
has no ok-to-auth-as-delegate bit but also no constrained delegation
privileges for traditional S4U2Proxy.  Implement these rules,
extending the check_allowed_to_delegate() DAL method so that the KDC
can ask if a principal has any delegation privileges.

Combine the KRB5_KDB_FLAG_ISSUE_PAC and
KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT.

Rename the KRB5_KDB_FLAG_CANONICALIZE flag to
KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for
lookup operations that can use a realm referral.

For consistency with Active Directory, honor the no-auth-data-required
server principal flag for S4U2Proxy but not for S4U2Self.  Previously
we did the reverse.

ticket: 9044 (new)

doc/admin/conf_files/kdc_conf.rst		diff \| blob \| blame \| history
src/include/k5-int.h		diff \| blob \| blame \| history
src/include/kdb.h		diff \| blob \| blame \| history
src/kdc/do_as_req.c		diff \| blob \| blame \| history
src/kdc/do_tgs_req.c		diff \| blob \| blame \| history
src/kdc/kdc_authdata.c		diff \| blob \| blame \| history
src/kdc/kdc_util.c		diff \| blob \| blame \| history
src/kdc/kdc_util.h		diff \| blob \| blame \| history
src/kdc/main.c		diff \| blob \| blame \| history
src/kdc/realm_data.h		diff \| blob \| blame \| history
src/kdc/tgs_policy.c		diff \| blob \| blame \| history
src/lib/kdb/kdb5.c		diff \| blob \| blame \| history
src/lib/kdb/libkdb5.exports		diff \| blob \| blame \| history
src/lib/krb5/asn.1/asn1_k_encode.c		diff \| blob \| blame \| history
src/lib/krb5/krb/Makefile.in		diff \| blob \| blame \| history
src/lib/krb5/krb/authdata.c		diff \| blob \| blame \| history
src/lib/krb5/krb/deps		diff \| blob \| blame \| history
src/lib/krb5/krb/kfree.c		diff \| blob \| blame \| history
src/lib/krb5/krb/s4u_authdata.c	[deleted file]	blob \| blame \| history
src/lib/krb5/libkrb5.exports		diff \| blob \| blame \| history
src/plugins/kdb/db2/db2_exp.c		diff \| blob \| blame \| history
src/plugins/kdb/ldap/ldap_exp.c		diff \| blob \| blame \| history
src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c		diff \| blob \| blame \| history
src/plugins/kdb/test/kdb_test.c		diff \| blob \| blame \| history
src/tests/asn.1/krb5_decode_leak.c		diff \| blob \| blame \| history
src/tests/asn.1/krb5_decode_test.c		diff \| blob \| blame \| history
src/tests/asn.1/krb5_encode_test.c		diff \| blob \| blame \| history
src/tests/asn.1/ktest.c		diff \| blob \| blame \| history
src/tests/asn.1/ktest.h		diff \| blob \| blame \| history
src/tests/asn.1/ktest_equal.c		diff \| blob \| blame \| history
src/tests/asn.1/ktest_equal.h		diff \| blob \| blame \| history
src/tests/asn.1/reference_encode.out		diff \| blob \| blame \| history
src/tests/asn.1/trval_reference.out		diff \| blob \| blame \| history
src/tests/gssapi/t_s4u.py		diff \| blob \| blame \| history
src/tests/t_authdata.py		diff \| blob \| blame \| history