diff options
| author | Greg Hudson <ghudson@mit.edu> | 2022-01-07 22:41:30 -0500 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2022-01-12 13:28:07 -0500 |
| commit | a441fbe329ebbd7775eb5d4ccc4a05eef370f08b (patch) | |
| tree | ed56952614e5c72981d48d75398d33b2a7fffb05 /src/tests/asn.1/trval_reference.out | |
| parent | c85894cfb784257a6acb4d77d8c75137d2508f5e (diff) | |
| download | krb5-a441fbe329ebbd7775eb5d4ccc4a05eef370f08b.zip krb5-a441fbe329ebbd7775eb5d4ccc4a05eef370f08b.tar.gz krb5-a441fbe329ebbd7775eb5d4ccc4a05eef370f08b.tar.bz2 | |
Replace AD-SIGNEDPATH with minimal PACs
Remove all of the AD-SIGNEDPATH code. Instead, issue a signed minimal
PAC in all tickets and require a valid PAC to be present in all
tickets presented for S4U operations. Remove the get_authdata_info()
and sign_authdata() DAL methods, and add an issue_pac() method to
allow the KDB to add or copy buffers to the PAC. Add a disable_pac
realm flag.
Microsoft revised the S4U2Proxy rules for forwardable tickets. All
S4U2Proxy operations require forwardable evidence tickets, but
S4U2Self should issue a forwardable ticket if the requesting service
has no ok-to-auth-as-delegate bit but also no constrained delegation
privileges for traditional S4U2Proxy. Implement these rules,
extending the check_allowed_to_delegate() DAL method so that the KDC
can ask if a principal has any delegation privileges.
Combine the KRB5_KDB_FLAG_ISSUE_PAC and
KRB5_FLAG_CLIENT_REFERRALS_ONLY flags into KRB5_KDB_FLAG_CLIENT.
Rename the KRB5_KDB_FLAG_CANONICALIZE flag to
KRB5_KDB_FLAG_REFERRAL_OK, and only pass it to get_principal() for
lookup operations that can use a realm referral.
For consistency with Active Directory, honor the no-auth-data-required
server principal flag for S4U2Proxy but not for S4U2Self. Previously
we did the reverse.
ticket: 9044 (new)
Diffstat (limited to 'src/tests/asn.1/trval_reference.out')
| -rw-r--r-- | src/tests/asn.1/trval_reference.out | 49 |
1 files changed, 0 insertions, 49 deletions
diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out index 432fdce..9bedad4 100644 --- a/src/tests/asn.1/trval_reference.out +++ b/src/tests/asn.1/trval_reference.out @@ -1251,55 +1251,6 @@ encode_krb5_ad_kdcissued: . . . [0] [Integer] 1 . . . [1] [Octet String] "foobar" -encode_krb5_ad_signedpath_data: - -[Sequence/Sequence Of] -. [0] [Sequence/Sequence Of] -. . [0] [Sequence/Sequence Of] -. . . [0] [Integer] 1 -. . . [1] [Sequence/Sequence Of] -. . . . [General string] "hftsai" -. . . . [General string] "extra" -. . [1] [General string] "ATHENA.MIT.EDU" -. [1] [Generalized Time] "19940610060317Z" -. [2] [Sequence/Sequence Of] -. . [Sequence/Sequence Of] -. . . [0] [Sequence/Sequence Of] -. . . . [0] [Integer] 1 -. . . . [1] [Sequence/Sequence Of] -. . . . . [General string] "hftsai" -. . . . . [General string] "extra" -. . . [1] [General string] "ATHENA.MIT.EDU" -. [3] [Sequence/Sequence Of] -. . [Sequence/Sequence Of] -. . . [1] [Integer] 13 -. . . [2] [Octet String] "pa-data" -. . [Sequence/Sequence Of] -. . . [1] [Integer] 13 -. . . [2] [Octet String] "pa-data" -. [4] [Sequence/Sequence Of] -. . [Sequence/Sequence Of] -. . . [0] [Integer] 1 -. . . [1] [Octet String] "foobar" -. . [Sequence/Sequence Of] -. . . [0] [Integer] 1 -. . . [1] [Octet String] "foobar" - -encode_krb5_ad_signedpath: - -[Sequence/Sequence Of] -. [0] [Integer] 1 -. [1] [Sequence/Sequence Of] -. . [0] [Integer] 1 -. . [1] [Octet String] "1234" -. [3] [Sequence/Sequence Of] -. . [Sequence/Sequence Of] -. . . [1] [Integer] 13 -. . . [2] [Octet String] "pa-data" -. . [Sequence/Sequence Of] -. . . [1] [Integer] 13 -. . . [2] [Octet String] "pa-data" - encode_krb5_iakerb_header: [Sequence/Sequence Of] |