[krbdev.mit.edu #8815] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Tue Jun 11 00:07:08 EDT 2019
Verify PAC client name independently of name-type
In krb5_pac_verify(), unparse the provided principal name and compare
using strcmp(), instead of parsing pac principal, in order to avoid
relying on the provided name type.
This change is needed for tickets issued with cross-realm S4U2Proxy
(with resource-based constrained delegation), because the final
request uses a cross-TGT as the evidence ticket, so the ticket client
name is taken from the PAC and does not preserve the name type.
Microsoft KDCs use NT-MS-PRINCIPAL as the ticket client name type in
this case, regardless of the original name type.
[ghudson at mit.edu: rewrote commit message; made minor style edits]
https://github.com/krb5/krb5/commit/e935913a4dc9461c129e373bfd752e8a6c795e28
Author: Isaac Boukris <iboukris at gmail.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: e935913a4dc9461c129e373bfd752e8a6c795e28
Branch: master
src/lib/krb5/krb/pac.c | 29 +++++++-------------------
src/lib/krb5/krb/t_pac.c | 49 +++++++++++++++++++++++++++++++++++++++++++++-
2 files changed, 56 insertions(+), 22 deletions(-)
More information about the krb5-bugs
mailing list