diff options
author | Tom Yu <tlyu@mit.edu> | 2011-02-22 22:17:26 +0000 |
---|---|---|
committer | Tom Yu <tlyu@mit.edu> | 2011-02-22 22:17:26 +0000 |
commit | 028125b8c2ba963cb28710de68706b2bb14c6c3b (patch) | |
tree | 3cfc8f9e94143fea8a3eabb63bee08778419b710 /src/kadmin/dbutil/kdb5_util.c | |
parent | 3884808c126d5081a3051040e162410d20b4c89d (diff) | |
download | krb5-028125b8c2ba963cb28710de68706b2bb14c6c3b.zip krb5-028125b8c2ba963cb28710de68706b2bb14c6c3b.tar.gz krb5-028125b8c2ba963cb28710de68706b2bb14c6c3b.tar.bz2 |
pull up r24640 from trunk
------------------------------------------------------------------------
r24640 | ghudson | 2011-02-16 18:34:37 -0500 (Wed, 16 Feb 2011) | 14 lines
ticket: 6870
subject: Don't reject AP-REQs based on PACs
target_version: 1.9.1
tags: pullup
Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket. We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket. If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.
ticket: 6870
version_fixed: 1.9.1
status: resolved
git-svn-id: svn://anonsvn.mit.edu/krb5/branches/krb5-1-9@24647 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/kadmin/dbutil/kdb5_util.c')
0 files changed, 0 insertions, 0 deletions