[krbdev.mit.edu #8780] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Wed Mar 13 19:39:14 EDT 2019
Expand S4U2Self exception in KDC lineage check
An S4U2Self TGS-REQ using only a certificate to identify the user will
not include PA-FOR-USER, so we need to check both types when making an
exception in the lineage check. (S4U2Self requests are allowed to
bypass the lineage check because cross-realm S4U2Self ends with a
backwards cross-realm request to the server realm.)
[ghudson at mit.edu: factored out padata check; deindented the code block
by combining conditionals; rewrote commit message]
https://github.com/krb5/krb5/commit/26c3818737cf16d476043a4acec8afb0fa67e47f
Author: Isaac Boukris <iboukris at gmail.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 26c3818737cf16d476043a4acec8afb0fa67e47f
Branch: master
src/kdc/kdc_util.c | 27 +++++++++++++++++----------
1 files changed, 17 insertions(+), 10 deletions(-)
More information about the krb5-bugs
mailing list