Age | Commit message (Collapse) | Author | Files | Lines |
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/moonshot-mechglue-fixes@24854 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/moonshot-mechglue-fixes@24813 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/users/lhoward/moonshot-mechglue-fixes@24778 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24704 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Be more flexible about the principal names we will accept for a given
GSS acceptor name. Also add support for a new libdefaults profile
variable ignore_acceptor_hostname, which causes the hostnames of
host-based service principals to be ignored when passed by server
applications as acceptor names.
Note that we still always invoke krb5_sname_to_principal() when
importing a gss-krb5 mechanism name, even though we won't always use
the result. This is an unfortunate waste of getaddrinfo/getnameinfo
queries in some situations, but the code surgery necessary to defer
it appears too risky at this time.
The project proposal for this change is at:
http://k5wiki.kerberos.org/wiki/Projects/Acceptor_Names
ticket: 6855
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24616 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 6794
tags: pullup
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24584 dc483132-0cff-0310-8789-dd5450dbe970
|
|
ticket: 6829
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24550 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT. Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.
ticket: 6829
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24517 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Now that SAM1 support has been removed, the KDC does not need a replay
replay cache. Remove all code within USE_RCACHE and associated support.
Rename --disable-kdc-replay-cache to --disable-kdc-lookaside-cache.
ticket: 6804
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24464 dc483132-0cff-0310-8789-dd5450dbe970
|
|
cleanup.
ticket: 6802
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24462 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Update copyright.texinfo. Move full copyright notices to appendices
of documentation. New rules to generate top-level NOTICE file from
copyright.texinfo. Regenerate NOTICE file.
ticket: 6802
tags: pullup
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24455 dc483132-0cff-0310-8789-dd5450dbe970
|
|
change_password -keepold), and add a kadmin CLI command for it.
Keeping ticket open because an automated test needs to be added.
Long-term future work includes start/expire dates on keys, or
not-yet-valid flags.
ticket: 1219
status: open
target_version: 1.9
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24442 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* krb5.conf
* admin.texinfo
* kadm5_hook_plugin.h: document initvt requirement
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24422 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add and document two new options for controlling k5login behavior.
ticket: 6792
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24402 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24387 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Merge branches/plugins2 to trunk. Adds a password quality pluggable
interface described in this project page:
http://k5wiki.kerberos.org/wiki/Projects/Password_quality_pluggable_interface
ticket: 6765
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24284 dc483132-0cff-0310-8789-dd5450dbe970
|
|
syntactically independent of parent files.
ticket: 6761
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24256 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add support for "include" and "includedir" directives in profile files.
See http://k5wiki.kerberos.org/wiki/Projects/Profile_Includes for more
details.
ticket: 6761
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24253 dc483132-0cff-0310-8789-dd5450dbe970
|
|
krb5.conf.M. Also document database_name in krb5.conf.M and slightly
adjust the wording in admin.texinfo.
ticket: 6719
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24078 dc483132-0cff-0310-8789-dd5450dbe970
|
|
to be enclosed in brackets so that IPv6 addresses can be represented.
(IPv6 addresses contain colons, which look like port separators.)
ticket: 6562
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24055 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The account lockout feature of krb5 1.8 came at a cost in database
accesses for principals requiring preauth, even if lockout is not
used. Add dbmodules variables disable_last_success and
disable_lockout for the DB2 and LDAP back ends, allowing the admin to
recover the lost performance at the cost of new functionality.
(Unrelated documentation fix: document database_name as a DB2-specific
dbmodules variable instead of the realm variable it used to be.)
ticket: 6719
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24003 dc483132-0cff-0310-8789-dd5450dbe970
|
|
r16656, #2656). Based on a patch from nalin@redhat.com.
ticket: 6680
target_version: 1.8.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23820 dc483132-0cff-0310-8789-dd5450dbe970
|
|
configuration flag
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23752 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Update documentation to be more helpful about allow_weak_crypto.
ticket: 6669
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23750 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add minimal support for re-randomizing the history key:
* cpw -randkey kadmin/history now works, but creates only one key.
* cpw -randkey -keepold kadmin/history still fails.
* libkadm5 no longer caches the history key. Performance impact
is minimal since password changes are not common.
* randkey no longer checks the newly randomized key against old keys,
and the disabled code to do so in setkey/setv4key is gone, so now
only kadm5_chpass_principal_3 accesses the password history.
ticket: 6660
target_version: 1.8
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23716 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23587 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23522 dc483132-0cff-0310-8789-dd5450dbe970
|
|
longer in tree
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23521 dc483132-0cff-0310-8789-dd5450dbe970
|
|
build system.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23341 dc483132-0cff-0310-8789-dd5450dbe970
|
|
guide.
ticket: 6583
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23310 dc483132-0cff-0310-8789-dd5450dbe970
|
|
* The test suite no longer requires root.
* appl no longer contains what it used to contain.
* Mention --disable-rpath as an alternative for make check.
ticket: 6583
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23309 dc483132-0cff-0310-8789-dd5450dbe970
|
|
doesn't commit to a stable libkadm5 C API.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23095 dc483132-0cff-0310-8789-dd5450dbe970
|
|
do check if the response came from the master KDC now.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22864 dc483132-0cff-0310-8789-dd5450dbe970
|
|
old one was removed in r22521.
ticket: 6544
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22522 dc483132-0cff-0310-8789-dd5450dbe970
|
|
In the processing code for enctype lists, add support for "DEFAULT"
to indicate the default list, for families (des/des3/aes/rc4), and
for removing entries from the current list (-foo). Also add unit
tests and document.
ticket: 6539
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22469 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22396 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22304 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22293 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22287 dc483132-0cff-0310-8789-dd5450dbe970
|
|
"addprinc" instead of "add_princ" since the latter is not a recognized
alias for add_principal.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22266 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Also document which cryptosystems are defined to be weak, and add some
enctype entries which weren't in the documentation.
ticket: 6452
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22188 dc483132-0cff-0310-8789-dd5450dbe970
|
|
doc/definitions.texinfo had, predictably, fallen out of date with
respect to the code. Update a few of the out of date comments and
defaults, particularly the default enctype lists.
ticket: 6451
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22187 dc483132-0cff-0310-8789-dd5450dbe970
|
|
it uses the wrong API and wrong key usage. So, if the auth_context
has an explicit checksum type set, then respect that. kcmd sets such
a checksum type. Also, because other applications may have the same
problem, allow the config file variable if set to override the default
checksum.
* kcmd.c: Force use of rsa_md5
* init_ctx.c: do not default to md5
* mk_req_ext.c: allow auth_context to override
ticket: 1624
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22160 dc483132-0cff-0310-8789-dd5450dbe970
|
|
all the time in the ap_req checksum path. This breaks code to support
DCE versions prior to 1.1 but uses the correct checksum for protocol
compatibility.
ticket: 1624
Target_version: 1.7
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22154 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Add a few paragraphs to the LDAP instructions on creating aliases
through direct manipulation of the LDAP data, and briefly explain when
aliases will be used.
ticket: 6419
tags: pullup
target_version: 1.7
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22089 dc483132-0cff-0310-8789-dd5450dbe970
|
|
Use dc=example,dc=com as the example base DN instead of more archaic
forms. Provide a little more cross-referencing of concepts and
mechanisms. Add additional steps in the OpenLDAP setup instructions
for choosing DNs for the Kerberos container, KDC service, and kadmin
service. Explain a little bit about what the Kerberos container and
realm container are. Be clearer that using separate subtrees from the
realm container for principals is an option, not a necessity, and
don't use the base DN as an example of a separate subtree (it's
confusing).
ticket: 6418
target_version: 1.7
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22088 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21698 dc483132-0cff-0310-8789-dd5450dbe970
|
|
The mskrb-integ branch includes support for the following projects:
Projects/Aliases
* Projects/PAC and principal APIs
* Projects/AEAD encryption API
* Projects/GSSAPI DCE
* Projects/RFC 3244
In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions.
In the KDC it includes support for protocol transition, constrained delegation
and a new authorization data interface.
The old authorization data interface is also supported.
This commit merges the mskrb-integ branch on to the trunk.
Additional review and testing is required.
Merge commit 'mskrb-integ' into trunk
ticket: new
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
|
|
have. Remove the krb425 transition guide since we no longer have
compatibility code to assist with a transition.
ticket: 6303
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21545 dc483132-0cff-0310-8789-dd5450dbe970
|