diff options
author | Sam Hartman <hartmans@mit.edu> | 2009-01-02 20:35:22 +0000 |
---|---|---|
committer | Sam Hartman <hartmans@mit.edu> | 2009-01-02 20:35:22 +0000 |
commit | 9a5cb7167318b07c0963f269797f807027e5b203 (patch) | |
tree | ab403383f0d9c58813be35f6490a9635ab152b2e | |
parent | 5a36782f900138f51965c01689966b575f2f5910 (diff) | |
download | krb5-9a5cb7167318b07c0963f269797f807027e5b203.zip krb5-9a5cb7167318b07c0963f269797f807027e5b203.tar.gz krb5-9a5cb7167318b07c0963f269797f807027e5b203.tar.bz2 |
Using the server name as a hint
is inappropriate. The server name is a security constraint.
If set, it must constrain the principals
that can be authenticated to; otherwise applications may get behavior that breaks security policy.
It is a goal that applications need to change to take advantage of any server search.
Remove dead code
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/mskrb-integ@21668 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r-- | src/lib/krb5/krb/rd_req_dec.c | 23 |
1 files changed, 2 insertions, 21 deletions
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index f774c48..6cd34df 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -110,9 +110,7 @@ krb5_rd_req_decrypt_tkt_part(krb5_context context, const krb5_ap_req *req, (void) krb5_free_keytab_entry_contents(context, &ktent); } - } - - if (retval == KRB5_KT_NOTFOUND && keytab->ops->start_seq_get != NULL) { + } else { krb5_error_code code; krb5_kt_cursor cursor; @@ -203,24 +201,7 @@ krb5_rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, princ_data.realm.data = realm; princ_data.realm.length = strlen(realm); } - /* - * The following code is commented out now that match based on - * key rather than name. - */ -#if 0 - if (server && !krb5_principal_compare(context, server, req->ticket->server)) { - char *found_name = 0, *wanted_name = 0; - if (krb5_unparse_name(context, server, &wanted_name) == 0 - && krb5_unparse_name(context, req->ticket->server, &found_name) == 0) - krb5_set_error_message(context, KRB5KRB_AP_WRONG_PRINC, - "Wrong principal in request (found %s, wanted %s)", - found_name, wanted_name); - krb5_free_unparsed_name(context, wanted_name); - krb5_free_unparsed_name(context, found_name); - retval = KRB5KRB_AP_WRONG_PRINC; - goto cleanup; - } -#endif + /* if (req->ap_options & AP_OPTS_USE_SESSION_KEY) do we need special processing here ? */ |