[krbdev.mit.edu #6870] SVN Commit
Greg Hudson via RT
rt-comment at krbdev.mit.edu
Wed Feb 16 18:34:38 EST 2011
Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket. We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket. If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.
http://src.mit.edu/fisheye/changelog/krb5/?cs=24640
Commit By: ghudson
Revision: 24640
Changed Files:
U trunk/src/include/k5-trace.h
U trunk/src/lib/krb5/krb/pac.c
More information about the krb5-bugs
mailing list