]> git.ipfire.org Git - thirdparty/krb5.git/commit
projects / thirdparty / krb5.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: bf5953c) | patch
Allow client canonicalization in non-krbtgt AS-REP 986/head
authorIsaac Boukris <iboukris@gmail.com>
Tue, 15 Oct 2019 17:41:49 +0000 (20:41 +0300)
committerGreg Hudson <ghudson@mit.edu>
Sun, 3 Nov 2019 17:44:00 +0000 (12:44 -0500)
commitc6c19b1d35c6523cb7ed220c1f2e97e12e039293
treedb979ed54f8fa5e0c4a5c04a9190b1f50068f214tree
parentbf5953c549a6d279977df69ffe89b2ba51460eafcommit | diff
Allow client canonicalization in non-krbtgt AS-REP

If a caller makes an AS-REQ with the canonicalize flag set (or with an
enterprise client principal or the anonymous flag), always allow the
KDC to change the client principal.  Continue to restrict server name
changes to requests for TGS principals.

Also remove the conditional for setting canon_ok for fully anonymous
requests.  Both kinds of anonymous requests change the client
principal or realm, but neither kind changes the server principal or
realm, so this logic is no longer needed now that canon_ok only
applies to server name changes.

[ghudson@mit.edu: clarified commit message; removed anonymous PKINIT
clause]

ticket: 8843 (new)
src/lib/krb5/krb/get_in_tkt.c diff | blob | blame | history
src/tests/t_kdb.py diff | blob | blame | history
Mirror of https://github.com/krb5/krb5.git