From rt-comment at krbdev.mit.edu Thu Oct 1 17:08:19 2009 From: rt-comment at krbdev.mit.edu (" W.Michael Petullo " via RT) Date: Thu, 1 Oct 2009 21:08:19 +0000 (UTC) Subject: [krbdev.mit.edu #6570] PATCH: Fix symbol collision between krb5 1.7 and uClibc In-Reply-To: Message-ID: I have attached a patch against krb5 1.7 that fixes a symbol collision between krb5 and uClibc. This allows one to compile krb5 against uClibc. Mike From rt-comment at krbdev.mit.edu Fri Oct 2 13:47:41 2009 From: rt-comment at krbdev.mit.edu (Tom Yu via RT) Date: Fri, 2 Oct 2009 17:47:41 +0000 (UTC) Subject: [krbdev.mit.edu #6570] PATCH: Fix symbol collision between krb5 1.7 and uClibc In-Reply-To: Message-ID: "\"\" W.Michael Petullo \" via RT\"" writes: > I have attached a patch against krb5 1.7 that fixes a symbol collision > between krb5 and uClibc. This allows one to compile krb5 against uClibc. Thanks. Why is there a definition of ruserpass() in uClibc? It looks useful only to the ftp client. Should we use a system-provided copy of ruserpass() if available? We might perform the function renaming as an interim solution if we are going to attempt to use the system version of the function. From rt-comment at krbdev.mit.edu Thu Oct 8 18:03:01 2009 From: rt-comment at krbdev.mit.edu ( Arlene Berry via RT) Date: Thu, 8 Oct 2009 22:03:01 +0000 (UTC) Subject: [krbdev.mit.edu #6571] krb5 1.7 memory leak In-Reply-To: Message-ID: The enc_padata field that was added to the krb5_enc_kdc_rep_part structure for 1.7 is being leaked. Our fix is below. It looks like the second change was done in trunk when the S4U changes were merged. Modified: src/lib/krb5/asn.1/asn1_k_decode.c =================================================================== --- src/lib/krb5/asn.1/asn1_k_decode.c 2009-10-07 22:25:00 UTC (rev 37774) +++ src/lib/krb5/asn.1/asn1_k_decode.c 2009-10-07 22:27:28 UTC (rev 37775) @@ -668,6 +668,7 @@ krb5_free_last_req(NULL, val->last_req); krb5_free_principal(NULL, val->server); krb5_free_addresses(NULL, val->caddrs); + krb5_free_pa_data(NULL, val->enc_padata); val->session = NULL; val->last_req = NULL; val->server = NULL; Modified: src/lib/krb5/krb/kfree.c =================================================================== --- src/lib/krb5/krb/kfree.c 2009-10-07 22:25:00 UTC (rev 37774) +++ src/lib/krb5/krb/kfree.c 2009-10-07 22:27:28 UTC (rev 37775) @@ -297,6 +297,7 @@ krb5_free_last_req(context, val->last_req); krb5_free_principal(context, val->server); krb5_free_addresses(context, val->caddrs); + krb5_free_pa_data(context, val->enc_padata); free(val); } From rt-comment at krbdev.mit.edu Fri Oct 9 10:21:06 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 9 Oct 2009 14:21:06 +0000 (UTC) Subject: [krbdev.mit.edu #6571] SVN Commit In-Reply-To: Message-ID: In asn1_decode_enc_kdc_rep_part, don't leak the enc_padata field on invalid representations. http://src.mit.edu/fisheye/changelog/krb5/?cs=22872 Commit By: ghudson Revision: 22872 Changed Files: U trunk/src/lib/krb5/asn.1/asn1_k_decode.c From rt-comment at krbdev.mit.edu Fri Oct 9 10:22:31 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 9 Oct 2009 14:22:31 +0000 (UTC) Subject: [krbdev.mit.edu #6571] krb5 1.7 memory leak In-Reply-To: Message-ID: Thanks for the patch. I've committed the part that wasn't in trunk. When pulling this up, the part that already was in trunk (the change to kfree.c) should be applied manually. From rt-comment at krbdev.mit.edu Fri Oct 9 14:29:37 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Fri, 9 Oct 2009 18:29:37 +0000 (UTC) Subject: [krbdev.mit.edu #6572] SVN Commit In-Reply-To: Message-ID: Merge Luke's users/lhoward/authdata branch to trunk. Implements GSS naming extensions and verification of authorization data. http://src.mit.edu/fisheye/changelog/krb5/?cs=22875 Commit By: ghudson Revision: 22875 Changed Files: U trunk/src/clients/klist/klist.c U trunk/src/configure.in U trunk/src/include/k5-int.h U trunk/src/include/kdb_ext.h U trunk/src/include/krb5/authdata_plugin.h U trunk/src/include/krb5/krb5.hin U trunk/src/kdc/do_tgs_req.c U trunk/src/kdc/kdc_authdata.c U trunk/src/kdc/kdc_util.c U trunk/src/kdc/kdc_util.h A trunk/src/lib/crypto/krb/enc_provider/ A trunk/src/lib/crypto/krb/hash_provider/ U trunk/src/lib/crypto/openssl/sha1/shs.c U trunk/src/lib/crypto/openssl/sha1/shs.h U trunk/src/lib/gssapi/generic/gssapi_ext.h U trunk/src/lib/gssapi/krb5/Makefile.in U trunk/src/lib/gssapi/krb5/accept_sec_context.c U trunk/src/lib/gssapi/krb5/acquire_cred.c U trunk/src/lib/gssapi/krb5/add_cred.c U trunk/src/lib/gssapi/krb5/compare_name.c U trunk/src/lib/gssapi/krb5/delete_sec_context.c U trunk/src/lib/gssapi/krb5/disp_name.c U trunk/src/lib/gssapi/krb5/duplicate_name.c U trunk/src/lib/gssapi/krb5/export_name.c U trunk/src/lib/gssapi/krb5/gssapiP_krb5.h U trunk/src/lib/gssapi/krb5/gssapi_krb5.c U trunk/src/lib/gssapi/krb5/import_name.c U trunk/src/lib/gssapi/krb5/init_sec_context.c U trunk/src/lib/gssapi/krb5/inq_context.c U trunk/src/lib/gssapi/krb5/inq_cred.c A trunk/src/lib/gssapi/krb5/naming_exts.c U trunk/src/lib/gssapi/krb5/rel_cred.c U trunk/src/lib/gssapi/krb5/rel_name.c U trunk/src/lib/gssapi/krb5/s4u_gss_glue.c U trunk/src/lib/gssapi/krb5/ser_sctx.c U trunk/src/lib/gssapi/krb5/val_cred.c U trunk/src/lib/gssapi/libgssapi_krb5.exports U trunk/src/lib/gssapi/mechglue/Makefile.in A trunk/src/lib/gssapi/mechglue/g_del_name_attr.c U trunk/src/lib/gssapi/mechglue/g_dsp_name.c A trunk/src/lib/gssapi/mechglue/g_dsp_name_ext.c A trunk/src/lib/gssapi/mechglue/g_export_name_comp.c A trunk/src/lib/gssapi/mechglue/g_get_name_attr.c U trunk/src/lib/gssapi/mechglue/g_glue.c U trunk/src/lib/gssapi/mechglue/g_imp_name.c U trunk/src/lib/gssapi/mechglue/g_initialize.c U trunk/src/lib/gssapi/mechglue/g_inq_context_oid.c U trunk/src/lib/gssapi/mechglue/g_inq_cred_oid.c A trunk/src/lib/gssapi/mechglue/g_inq_name.c A trunk/src/lib/gssapi/mechglue/g_map_name_to_any.c A trunk/src/lib/gssapi/mechglue/g_rel_name_mapping.c U trunk/src/lib/gssapi/mechglue/g_set_context_option.c U trunk/src/lib/gssapi/mechglue/g_set_cred_option.c A trunk/src/lib/gssapi/mechglue/g_set_name_attr.c U trunk/src/lib/gssapi/mechglue/mglueP.h U trunk/src/lib/gssapi/spnego/gssapiP_spnego.h U trunk/src/lib/gssapi/spnego/spnego_mech.c U trunk/src/lib/krb5/asn.1/asn1_k_decode.c U trunk/src/lib/krb5/asn.1/asn1_k_decode.h U trunk/src/lib/krb5/asn.1/asn1_k_encode.c U trunk/src/lib/krb5/asn.1/krb5_decode.c U trunk/src/lib/krb5/ccache/cc_file.c U trunk/src/lib/krb5/ccache/ccfns.c U trunk/src/lib/krb5/error_tables/kv5m_err.et U trunk/src/lib/krb5/krb/Makefile.in U trunk/src/lib/krb5/krb/auth_con.c U trunk/src/lib/krb5/krb/auth_con.h A trunk/src/lib/krb5/krb/authdata.c A trunk/src/lib/krb5/krb/authdata.h U trunk/src/lib/krb5/krb/copy_auth.c U trunk/src/lib/krb5/krb/gc_frm_kdc.c U trunk/src/lib/krb5/krb/int-proto.h U trunk/src/lib/krb5/krb/kfree.c U trunk/src/lib/krb5/krb/mk_req_ext.c U trunk/src/lib/krb5/krb/pac.c U trunk/src/lib/krb5/krb/rd_req.c U trunk/src/lib/krb5/krb/rd_req_dec.c U trunk/src/lib/krb5/krb/s4u_creds.c U trunk/src/lib/krb5/krb/ser_actx.c U trunk/src/lib/krb5/krb/t_authdata.c U trunk/src/lib/krb5/libkrb5.exports A trunk/src/plugins/authdata/greet_client/ A trunk/src/plugins/authdata/greet_server/ U trunk/src/tests/asn.1/krb5_decode_leak.c U trunk/src/tests/asn.1/krb5_decode_test.c U trunk/src/tests/asn.1/krb5_encode_test.c U trunk/src/tests/asn.1/ktest.c U trunk/src/tests/asn.1/ktest.h U trunk/src/tests/asn.1/ktest_equal.c U trunk/src/tests/asn.1/ktest_equal.h U trunk/src/tests/asn.1/reference_encode.out U trunk/src/tests/asn.1/trval_reference.out U trunk/src/tests/gssapi/Makefile.in A trunk/src/tests/gssapi/t_namingexts.c U trunk/src/tests/gssapi/t_s4u.c From rt-comment at krbdev.mit.edu Sun Oct 11 03:22:22 2009 From: rt-comment at krbdev.mit.edu (" W.Michael Petullo " via RT) Date: Sun, 11 Oct 2009 07:22:22 +0000 (UTC) Subject: [krbdev.mit.edu #6570] PATCH: Fix symbol collision between krb5 1.7 and uClibc In-Reply-To: Message-ID: >> I have attached a patch against krb5 1.7 that fixes a symbol collision >> between krb5 and uClibc. This allows one to compile krb5 against uClibc. > > Thanks. Why is there a definition of ruserpass() in uClibc? It looks > useful only to the ftp client. Should we use a system-provided copy > of ruserpass() if available? We might perform the function renaming > as an interim solution if we are going to attempt to use the system > version of the function. Here is the definition from uClibc's netdb.h: /* ruserpass - remote password check. This function also exists in glibc but is undocumented */ extern int ruserpass(const char *host, const char **aname, const char **apass); -- Mike From rt-comment at krbdev.mit.edu Tue Oct 13 05:45:09 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 13 Oct 2009 09:45:09 +0000 (UTC) Subject: [krbdev.mit.edu #6430] If we fail to generate preauth, don't loop In-Reply-To: Message-ID: Sam, can you please comment on the practical ramifications of not continuing after a PREAUTH_FAILED error? (That is, reverting that particular change which you made as part of the FAST work.) The looping problem we are seeing in 1.7 is not simply that we are failing to generate padata and continuing anyway (although that may be happening against Microsoft KDCs). We also don't have any mechanism to remember and avoid previously used preauth mechanisms. So, for instance, against an MIT KDC modified to return PREAUTH_FAILED on encrypted timestamp failure, the 1.7 client loops generating encrypted timestamp padata. This is a fine point, but I cannot actually find anything in the preauth framework saying we should continue after PREAUTH_FAILED. The text in the opening of section 3 only applies to PREAUTH_FAILED errors resulting from optimistic preauth, which we do not do. This looping bug was masked on the trunk by the merge of Luke's S4U work (r22736). In that work, he introduced a change which results in the client invoking krb5_do_preauth_tryagain after a PREAUTH_FAILED error, which (as Sam notes) is wrong and effectively reverts Sam's change. I am thinking that the correct thing to do for 1.7.1 is to more cleanly revert Sam's change and simply stop after a PREAUTH_FAILED error like we did in 1.6. Finally, I'll note that this bug interacts badly with account lockout mechanisms. Users authenticating with the 1.7 kinit against Microsoft KDCs are currently getting locked out with just one wrong password, if the lockout policy kicks in at 8 or fewer attempts. From rt-comment at krbdev.mit.edu Tue Oct 13 12:26:21 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 13 Oct 2009 16:26:21 +0000 (UTC) Subject: [krbdev.mit.edu #6430] If we fail to generate preauth, don't loop In-Reply-To: Message-ID: Greg, a couple of points. First, you do have code to track whether a module has been used in the plugin path, but not in the internal preauth system path. ( I assumed it was in both places). So, for plugins, keeping track of whether you've already given up on a plugin is relatively easy. You do actually support optimistic preauth. There is both a config parameter and a get_init_creds option to set the list of preauth types to optimistically try. I think a reasonable medium-term fix for this issue would be to treat preauth_failed as preauth_required in the optimistic case but not in other cases. Long term, it would perhaps be more correct to treat preauth_failed as preauth_required once you had a mechanism for keeping track of preauth state better. Perhaps getting rid of separate dispatch for built-in and plugins and simply synthesizing plugin state for the built-in mechanisms would be a good (post 1.8) wishlist item. --Sam From rt-comment at krbdev.mit.edu Tue Oct 13 12:48:00 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 13 Oct 2009 16:48:00 +0000 (UTC) Subject: [krbdev.mit.edu #6430] If we fail to generate preauth, don't loop In-Reply-To: Message-ID: We have a config parameter for optimistic preauth? I can't find any documentation or code for such. From rt-comment at krbdev.mit.edu Tue Oct 13 13:41:18 2009 From: rt-comment at krbdev.mit.edu (Sam Hartman via RT) Date: Tue, 13 Oct 2009 17:41:18 +0000 (UTC) Subject: [krbdev.mit.edu #6430] If we fail to generate preauth, don't loop In-Reply-To: Message-ID: I'm fairly sure that ret = krb5_libdefault_string(context, realm, KRB5_CONF_PREFERRED_PREAUTH_TYPES, &preauth_types); is optimistic preauth.. At least Apple was assuming that code generated optimistic preauth. From rt-comment at krbdev.mit.edu Tue Oct 13 14:25:28 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 13 Oct 2009 18:25:28 +0000 (UTC) Subject: [krbdev.mit.edu #6430] If we fail to generate preauth, don't loop In-Reply-To: Message-ID: All that code does is sort specified preauth types to the front of the list. It doesn't add preauth types to a nonexistent list. (It's also an undocumented parameter; I will try to fix that.) Anyway, I believe we agree. I will change the code to only continue on PREAUTH_FAILED during the first iteration. Eliminating the separate dispatches in the preauth framework would be a great bit of cleanup, but will take more time than I have available on the margin. From rt-comment at krbdev.mit.edu Tue Oct 13 15:43:19 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 13 Oct 2009 19:43:19 +0000 (UTC) Subject: [krbdev.mit.edu #6573] SVN Commit In-Reply-To: Message-ID: In 1.7, krb5_get_init_creds will continue attempting the same built-in preauth mechanism (e.g. encrypted timestamp) until the loop counter maxes out. Until the preauth framework can remember not to retry built-in mechanisms, only continue with preauth after a PREAUTH_FAILED error resulting from optimistic preauth. http://src.mit.edu/fisheye/changelog/krb5/?cs=22890 Commit By: ghudson Revision: 22890 Changed Files: U trunk/src/lib/krb5/krb/get_in_tkt.c From rt-comment at krbdev.mit.edu Tue Oct 13 15:49:59 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 13 Oct 2009 19:49:59 +0000 (UTC) Subject: [krbdev.mit.edu #6430] If we fail to generate preauth, don't loop In-Reply-To: Message-ID: I reverted Luke's fix on trunk and then fixed the PREAUTH_FAILED looping bug as Sam described in a separate ticket (#6573, r22890). I am leaving this bug report open as Sam's original description is still true--that is, we will loop 16 times trying un-preauthenticated AS-REQs if we can't do any of the preauth mechanisms presented to us by the server in a PREAUTH_REQUIRED error. From rt-comment at krbdev.mit.edu Thu Oct 15 14:04:41 2009 From: rt-comment at krbdev.mit.edu (william.fiveash@sun.com via RT) Date: Thu, 15 Oct 2009 18:04:41 +0000 (UTC) Subject: [krbdev.mit.edu #6574] prompter users should zero out reply data before freeing it In-Reply-To: Message-ID: I've been looking at the code that calls krb5_prompter_posix() and I've noticed that the reply data (which may contain a password) is not being zeroed out before being freed. When I look at similar code in the Solaris libpam I notice that the reply data is being zeroed prior to free. This seems to be a better practice security wise. I suggest looking at every place a prompter is called and memset() the reply data with 0 prior to it's being freed. From rt-comment at krbdev.mit.edu Thu Oct 15 14:56:47 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Thu, 15 Oct 2009 18:56:47 +0000 (UTC) Subject: [krbdev.mit.edu #6574] prompter users should zero out reply data before freeing it In-Reply-To: Message-ID: I'd like to point out the existence of the shiny new zapfree() macro to anyone working on fixing this. From rt-comment at krbdev.mit.edu Mon Oct 19 16:04:24 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Mon, 19 Oct 2009 20:04:24 +0000 (UTC) Subject: [krbdev.mit.edu #6576] SVN Commit In-Reply-To: Message-ID: Merge branches/enc-perf to trunk. Adds the krb5_key opaque type, the krb5_k_* APIs to use them, and caching of derived keys when krb5_k_* functions are used. Updates the krb5 auth context and GSS id-rec to use krb5_keys. http://src.mit.edu/fisheye/changelog/krb5/?cs=22944 Commit By: ghudson Revision: 22944 Changed Files: U trunk/src/include/k5-int.h U trunk/src/include/krb5/krb5.hin U trunk/src/lib/crypto/builtin/aes/aes_s2k.c U trunk/src/lib/crypto/builtin/arcfour/arcfour.c U trunk/src/lib/crypto/builtin/arcfour/arcfour.h U trunk/src/lib/crypto/builtin/arcfour/arcfour_aead.c U trunk/src/lib/crypto/builtin/enc_provider/aes.c U trunk/src/lib/crypto/builtin/enc_provider/des.c U trunk/src/lib/crypto/builtin/enc_provider/des3.c U trunk/src/lib/crypto/builtin/enc_provider/rc4.c U trunk/src/lib/crypto/builtin/hmac.c U trunk/src/lib/crypto/builtin/pbkdf2.c U trunk/src/lib/crypto/crypto_tests/Makefile.in U trunk/src/lib/crypto/crypto_tests/aes-test.c U trunk/src/lib/crypto/crypto_tests/t_cksum.c U trunk/src/lib/crypto/crypto_tests/t_cts.c U trunk/src/lib/crypto/crypto_tests/t_encrypt.c U trunk/src/lib/crypto/crypto_tests/t_hmac.c A trunk/src/lib/crypto/crypto_tests/t_kperf.c U trunk/src/lib/crypto/krb/Makefile.in U trunk/src/lib/crypto/krb/aead.c U trunk/src/lib/crypto/krb/aead.h U trunk/src/lib/crypto/krb/combine_keys.c U trunk/src/lib/crypto/krb/decrypt.c U trunk/src/lib/crypto/krb/decrypt_iov.c U trunk/src/lib/crypto/krb/dk/checksum.c U trunk/src/lib/crypto/krb/dk/derive.c U trunk/src/lib/crypto/krb/dk/dk.h U trunk/src/lib/crypto/krb/dk/dk_aead.c U trunk/src/lib/crypto/krb/dk/dk_decrypt.c U trunk/src/lib/crypto/krb/dk/dk_encrypt.c U trunk/src/lib/crypto/krb/dk/stringtokey.c U trunk/src/lib/crypto/krb/encrypt.c U trunk/src/lib/crypto/krb/encrypt_iov.c U trunk/src/lib/crypto/krb/etypes.h A trunk/src/lib/crypto/krb/key.c U trunk/src/lib/crypto/krb/keyblocks.c U trunk/src/lib/crypto/krb/keyhash_provider/descbc.c U trunk/src/lib/crypto/krb/keyhash_provider/hmac_md5.c U trunk/src/lib/crypto/krb/keyhash_provider/k5_md4des.c U trunk/src/lib/crypto/krb/keyhash_provider/k5_md5des.c U trunk/src/lib/crypto/krb/keyhash_provider/md5_hmac.c U trunk/src/lib/crypto/krb/make_checksum.c U trunk/src/lib/crypto/krb/make_checksum_iov.c U trunk/src/lib/crypto/krb/old/old.h U trunk/src/lib/crypto/krb/old/old_decrypt.c U trunk/src/lib/crypto/krb/old/old_encrypt.c U trunk/src/lib/crypto/krb/prf/des_prf.c U trunk/src/lib/crypto/krb/prf/dk_prf.c U trunk/src/lib/crypto/krb/prf/prf_int.h U trunk/src/lib/crypto/krb/prf/rc4_prf.c U trunk/src/lib/crypto/krb/prf.c U trunk/src/lib/crypto/krb/raw/raw.h U trunk/src/lib/crypto/krb/raw/raw_aead.c U trunk/src/lib/crypto/krb/raw/raw_decrypt.c U trunk/src/lib/crypto/krb/raw/raw_encrypt.c U trunk/src/lib/crypto/krb/verify_checksum.c U trunk/src/lib/crypto/krb/verify_checksum_iov.c U trunk/src/lib/crypto/krb/yarrow/ycipher.c U trunk/src/lib/crypto/krb/yarrow/ycipher.h U trunk/src/lib/crypto/libk5crypto.exports U trunk/src/lib/crypto/openssl/aes/aes_s2k.c U trunk/src/lib/crypto/openssl/arcfour/arcfour.c U trunk/src/lib/crypto/openssl/arcfour/arcfour.h U trunk/src/lib/crypto/openssl/arcfour/arcfour_aead.c U trunk/src/lib/crypto/openssl/enc_provider/aes.c U trunk/src/lib/crypto/openssl/enc_provider/des.c U trunk/src/lib/crypto/openssl/enc_provider/des3.c U trunk/src/lib/crypto/openssl/enc_provider/rc4.c U trunk/src/lib/crypto/openssl/hmac.c U trunk/src/lib/gssapi/krb5/accept_sec_context.c U trunk/src/lib/gssapi/krb5/delete_sec_context.c U trunk/src/lib/gssapi/krb5/gssapiP_krb5.h U trunk/src/lib/gssapi/krb5/init_sec_context.c U trunk/src/lib/gssapi/krb5/inq_context.c U trunk/src/lib/gssapi/krb5/k5seal.c U trunk/src/lib/gssapi/krb5/k5sealiov.c U trunk/src/lib/gssapi/krb5/k5sealv3.c U trunk/src/lib/gssapi/krb5/k5sealv3iov.c U trunk/src/lib/gssapi/krb5/k5unseal.c U trunk/src/lib/gssapi/krb5/k5unsealiov.c U trunk/src/lib/gssapi/krb5/lucid_context.c U trunk/src/lib/gssapi/krb5/ser_sctx.c U trunk/src/lib/gssapi/krb5/util_cksum.c U trunk/src/lib/gssapi/krb5/util_crypt.c U trunk/src/lib/gssapi/krb5/util_seed.c U trunk/src/lib/gssapi/krb5/util_seqnum.c U trunk/src/lib/gssapi/krb5/wrap_size_limit.c U trunk/src/lib/krb5/krb/auth_con.c U trunk/src/lib/krb5/krb/auth_con.h U trunk/src/lib/krb5/krb/copy_key.c U trunk/src/lib/krb5/krb/cp_key_cnt.c U trunk/src/lib/krb5/krb/enc_helper.c U trunk/src/lib/krb5/krb/mk_cred.c U trunk/src/lib/krb5/krb/mk_priv.c U trunk/src/lib/krb5/krb/mk_rep.c U trunk/src/lib/krb5/krb/mk_req_ext.c U trunk/src/lib/krb5/krb/mk_safe.c U trunk/src/lib/krb5/krb/rd_cred.c U trunk/src/lib/krb5/krb/rd_priv.c U trunk/src/lib/krb5/krb/rd_rep.c U trunk/src/lib/krb5/krb/rd_req_dec.c U trunk/src/lib/krb5/krb/rd_safe.c U trunk/src/lib/krb5/krb/ser_actx.c U trunk/src/lib/krb5/os/accessor.c From rt-comment at krbdev.mit.edu Sun Oct 25 12:55:14 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Sun, 25 Oct 2009 16:55:14 +0000 (UTC) Subject: [krbdev.mit.edu #6577] SVN Commit In-Reply-To: Message-ID: Merge Luke's users/lhoward/lockout2 branch to trunk. Implements account lockout policies for preauth-using principals using existing principal metadata fields and new policy fields. The kadmin API version is bumped from 2 to 3 to compatibly extend the policy_ent_rec structure. http://src.mit.edu/fisheye/changelog/krb5/?cs=23038 Commit By: ghudson Revision: 23038 Changed Files: U trunk/src/include/iprop.h U trunk/src/include/iprop_hdr.h U trunk/src/include/kdb.h U trunk/src/kadmin/cli/kadmin.c U trunk/src/kadmin/dbutil/dump.c U trunk/src/kadmin/dbutil/kadm5_create.c U trunk/src/kadmin/dbutil/kdb5_util.M U trunk/src/kadmin/dbutil/kdb5_util.c U trunk/src/kadmin/server/ipropd_svc.c U trunk/src/kadmin/server/ovsec_kadmd.c U trunk/src/kadmin/server/server_stubs.c U trunk/src/kadmin/testing/scripts/init_db U trunk/src/kadmin/testing/scripts/start_servers_local U trunk/src/kadmin/testing/tcl/util.t U trunk/src/kadmin/testing/util/tcl_kadm5.c U trunk/src/kdc/do_as_req.c U trunk/src/kdc/extern.c U trunk/src/kdc/main.c U trunk/src/lib/kadm5/admin.h U trunk/src/lib/kadm5/admin_internal.h U trunk/src/lib/kadm5/clnt/client_init.c U trunk/src/lib/kadm5/kadm_rpc_xdr.c U trunk/src/lib/kadm5/server_internal.h U trunk/src/lib/kadm5/srv/server_init.c U trunk/src/lib/kadm5/srv/server_kdb.c U trunk/src/lib/kadm5/srv/svr_policy.c U trunk/src/lib/kadm5/srv/svr_principal.c U trunk/src/lib/kadm5/unit-test/api.2/mod-principal-v2.exp A trunk/src/lib/kadm5/unit-test/api.3/ U trunk/src/lib/kadm5/unit-test/config/unix.exp U trunk/src/lib/kadm5/unit-test/destroy-test.c U trunk/src/lib/kadm5/unit-test/handle-test.c U trunk/src/lib/kadm5/unit-test/init-test.c U trunk/src/lib/kadm5/unit-test/iter-test.c U trunk/src/lib/kadm5/unit-test/lib/lib.t U trunk/src/lib/kadm5/unit-test/randkey-test.c U trunk/src/lib/kadm5/unit-test/setkey-test.c U trunk/src/lib/kdb/iprop.x U trunk/src/lib/kdb/kdb_convert.c U trunk/src/plugins/kdb/db2/Makefile.in U trunk/src/plugins/kdb/db2/db2_exp.c U trunk/src/plugins/kdb/db2/kdb_db2.c U trunk/src/plugins/kdb/db2/kdb_db2.h A trunk/src/plugins/kdb/db2/kdb_ext.c A trunk/src/plugins/kdb/db2/lockout.c U trunk/src/plugins/kdb/db2/pol_xdr.c U trunk/src/plugins/kdb/db2/policy_db.h U trunk/src/plugins/kdb/ldap/ldap_exp.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/Makefile.in A trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ext.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h U trunk/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.ldif U trunk/src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.h U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_rights.c U trunk/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports A trunk/src/plugins/kdb/ldap/libkdb_ldap/lockout.c U trunk/src/slave/kpropd.c U trunk/src/slave/kslave_update From rt-comment at krbdev.mit.edu Tue Oct 27 10:24:03 2009 From: rt-comment at krbdev.mit.edu (Greg Hudson via RT) Date: Tue, 27 Oct 2009 14:24:03 +0000 (UTC) Subject: [krbdev.mit.edu #6578] SVN Commit In-Reply-To: Message-ID: Merge Luke's users/lhoward/heimmig branch to trunk. Implements a KDC back-end plugin which interfaces to a Heimdal HDB plugin. http://src.mit.edu/fisheye/changelog/krb5/?cs=23073 Commit By: ghudson Revision: 23073 Changed Files: U trunk/src/configure.in U trunk/src/include/kdb_ext.h U trunk/src/include/krb5/authdata_plugin.h U trunk/src/kdc/do_as_req.c U trunk/src/kdc/do_tgs_req.c U trunk/src/kdc/kdc_authdata.c U trunk/src/kdc/kdc_util.c U trunk/src/kdc/kdc_util.h U trunk/src/kdc/policy.c U trunk/src/lib/kadm5/srv/svr_principal.c U trunk/src/lib/kdb/kdb5.c U trunk/src/lib/kdb/libkdb5.exports U trunk/src/plugins/authdata/greet_server/greet_auth.c A trunk/src/plugins/kdb/hdb/