diff options
| author | Greg Hudson <ghudson@mit.edu> | 2022-01-13 14:33:14 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2022-01-27 15:54:43 -0500 |
| commit | 78fd66926c4be5910c1e21d9e553dfb792ae822a (patch) | |
| tree | f4c60ac72039a551ef1f0b7cbd68e787a8d5f26d /src/plugins | |
| parent | ff57dc682a27bd205d715f3c0bed84890f2453c4 (diff) | |
| download | krb5-78fd66926c4be5910c1e21d9e553dfb792ae822a.zip krb5-78fd66926c4be5910c1e21d9e553dfb792ae822a.tar.gz krb5-78fd66926c4be5910c1e21d9e553dfb792ae822a.tar.bz2 | |
Implement replaced_reply_key input to issue_pac()
If a kdcpreauth module fully replaces the reply key during an AS
request, pass the reply key as the replaced_reply_key input to
issue_pac(). In Windows environments this is used to provide an NTLM
hash to the LSA when the client cannot be presumed to have a password
to derive it from.
To test this, add a fake PAC_CREDENTIALS_INFO buffer to the PAC in the
test KDB module, and alter adata.c to display the set of PAC buffer
types when a PAC is present.
ticket: 9050 (new)
Diffstat (limited to 'src/plugins')
| -rw-r--r-- | src/plugins/kdb/test/kdb_test.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c index 8e7015d..e6d7aae 100644 --- a/src/plugins/kdb/test/kdb_test.c +++ b/src/plugins/kdb/test/kdb_test.c @@ -656,6 +656,14 @@ test_issue_pac(krb5_context context, unsigned int flags, krb5_db_entry *client, data = string2data("fake"); check(krb5_pac_add_buffer(context, new_pac, KRB5_PAC_LOGON_INFO, &data)); + + if (replaced_reply_key != NULL) { + /* Add a fake PAC_CREDENTIALS_INFO buffer so we can test whether + * this parameter was set. */ + data = string2data("fake credinfo"); + check(krb5_pac_add_buffer(context, new_pac, + KRB5_PAC_CREDENTIALS_INFO, &data)); + } return 0; } else { /* Field copying - my favorite! */ |