[krbdev.mit.edu #8829] git commit
Greg Hudson via RT
rt-comment at KRBDEV-PROD-APP-1.mit.edu
Mon Sep 9 10:33:52 EDT 2019
Mon Sep 09 10:33:52 2019: Request 8829 was acted upon.
Transaction: Ticket created by ghudson at mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson at mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8829 >
Fix authdata signatures for non-TGT AS-REQs
PACs (as well as anything wrapped in CAMMAC) should be signed using
the local TGT key. Cross-realm TGS requests, ticket renewal and
validation requests, and non-TGT AS requests currently do not pass the
local TGT DB entry or its key to sign_authdata(), forcing the KDB
module to do a redundant lookup in order to properly sign PACs.
Rename the existing krbtgt and krbtgt_key parameters to header_server
and header_key, to better indicate that they are for the header ticket
server. For AS requests, pass NULL for these parameters instead of
passing a duplicate of server/server_key.
Add local_tgt and local_tgt_key parameters for the realm's local TGT
and its first key.
[ghudson at mit.edu: rewrote commit message]
https://github.com/krb5/krb5/commit/15349afaaedcf1113382a92bd3a34b7cedd0129f
Author: Isaac Boukris <iboukris at gmail.com>
Committer: Greg Hudson <ghudson at mit.edu>
Commit: 15349afaaedcf1113382a92bd3a34b7cedd0129f
Branch: master
src/include/kdb.h | 30 ++++++++++++++++++------------
src/kdc/kdc_authdata.c | 27 +++++++++------------------
src/lib/kdb/kdb5.c | 14 ++++++++------
src/plugins/kdb/test/kdb_test.c | 7 ++++---
4 files changed, 39 insertions(+), 39 deletions(-)
More information about the krb5-bugs
mailing list