diff options
author | Greg Hudson <ghudson@mit.edu> | 2019-01-02 16:54:28 -0500 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2019-03-05 11:45:21 -0500 |
commit | 9d6847c8f0187a0dd6466420335b5460de5c449e (patch) | |
tree | 94bf7e5a0a8d9f285f550aaace3a0cb50cfbb5e6 /src/tests/gssapi/t_s4u.py | |
parent | 46655c8557c00c639e6aba2e0ed1980ff5df50af (diff) | |
download | krb5-9d6847c8f0187a0dd6466420335b5460de5c449e.zip krb5-9d6847c8f0187a0dd6466420335b5460de5c449e.tar.gz krb5-9d6847c8f0187a0dd6466420335b5460de5c449e.tar.bz2 |
Improve S4U2Self realm identification internals
Realm identification for S4U2Self requests ([MS-SFU] 3.1.5.1.1.1) uses
the AS code path with some differences: we might want to include a
subject certificate in pa-data, we want to stop as soon as we get a
reply indicating which realm the client is in, and we want to
communicate that realm to the caller. The current method of making
these changes is fragile--it uses an optimistic preauth type but does
not actually pre-authenticate, and it assumes that the AS code will
terminate with a predictable error if there is no prompter and a
trivial GAK function.
Instead, add fields to krb5_get_init_creds_context for realm
identification, and support them in the AS state machine, making sure
never to invoke preauth modules. Add a new library-internal function
k5_identify_realm() to set up an appropriate context, run the state
machine, and copy out the client principal of the last request on
success.
Diffstat (limited to 'src/tests/gssapi/t_s4u.py')
-rwxr-xr-x | src/tests/gssapi/t_s4u.py | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index 164fec8..7aff9af 100755 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -198,14 +198,12 @@ r1.run(['./t_s4u', 'p:' + r2.user_princ, '-', r1.keytab], env=no_default, # that we start at the server realm. mark('cross-realm S4U2Self with enterprise name') msgs = ('Getting initial credentials for enterprise\\@abc@SREALM', - 'Processing preauth types: PA-FOR-X509-USER (130)', 'Sending unauthenticated request', '/Realm not local to KDC', 'Following referral to realm UREALM', - 'Processing preauth types: PA-FOR-X509-USER (130)', 'Sending unauthenticated request', '/Additional pre-authentication required', - '/Generic preauthentication failure', + 'Identified realm of client principal as UREALM', 'Getting credentials enterprise\\@abc@UREALM -> user@SREALM', 'TGS reply is for enterprise\@abc@UREALM -> user@SREALM') r1.run(['./t_s4u', 'e:enterprise@abc@NOREALM', '-', r1.keytab], |