krb5.git/src/lib/krb5, branch master Unnamed repository; edit this file 'description' to name the repository. Use preauth options when changing password 2014-03-03T16:58:58+00:00 Greg Hudson ghudson@mit.edu 2014-02-28T19:49:35+00:00 9f9c4acd9629913d2ff197e0f4994d091f2073d5 If we try to change the password in rb5_get_init_creds_password, we must use all application-specified gic options which affect preauthentication when getting the kadmin/changepw ticket. Create a helper function make_chpw_options which copies the application's options, unsets the options we don't want, and sets options appropriate for a temporary ticket. ticket: 7868 
If we try to change the password in rb5_get_init_creds_password, we
must use all application-specified gic options which affect
preauthentication when getting the kadmin/changepw ticket.  Create a
helper function make_chpw_options which copies the application's
options, unsets the options we don't want, and sets options
appropriate for a temporary ticket.

ticket: 7868
Eliminate internal fixed-width type wrappers 2014-02-26T21:15:20+00:00 Greg Hudson ghudson@mit.edu 2014-02-01T21:26:51+00:00 1041af9f85e4be342339475cf5c8878fef1de10d Directly use stdint.h names for integer types in preference to the various internal names we have made up for them. 
Directly use stdint.h names for integer types in preference to the
various internal names we have made up for them.
Support referrals from Windows Server 2003 2014-02-18T20:20:15+00:00 Nate Rosenblum nater@maginatics.com 2013-12-23T21:21:44+00:00 3093b92734adfe2deb9ad6bad5a221acc967fd8b Although RFC 6806 Section 7 requires servers to indicate a client referral in a WRONG_REALM message, Microsoft Windows Server 2003 returns this information in a message with error code PRINCIPAL_UNKNOWN. Failure to follow the referral in these messages prevents referral chasing in Windows Server 2003 forests. Detect referral messages of this type by checking for a non-empty client.realm field in the response, and activate the referral logic in these cases. [tlyu@mit.edu: style, comments, and commit message] ticket: 7856 (new) target_version: 1.12.2 tags: pullup 
Although RFC 6806 Section 7 requires servers to indicate a client
referral in a WRONG_REALM message, Microsoft Windows Server 2003
returns this information in a message with error code
PRINCIPAL_UNKNOWN.  Failure to follow the referral in these messages
prevents referral chasing in Windows Server 2003 forests.  Detect
referral messages of this type by checking for a non-empty
client.realm field in the response, and activate the referral logic in
these cases.

[tlyu@mit.edu: style, comments, and commit message]

ticket: 7856 (new)
target_version: 1.12.2
tags: pullup
Fix SAM-2 preauth when password argument is used 2014-02-12T03:50:02+00:00 Greg Hudson ghudson@mit.edu 2014-02-12T01:00:51+00:00 3bedfe7c3724b0d22c72d1684f1cf76cfb600fdd sam2_process accesses gak_data to get the password, so that it can do string-to-key with the etype in the SAM-2 challenge. When #7642 changed gic_pwd.c to use struct gak_password instead of krb5_data, sam2_process wasn't altered to match. We don't see a problem when the password is read through the prompter (as with kinit), because the password winds up in the storage field at the beginning of the gak_password structure. But when a password is supplied as a parameter (as with ksu), the storage field is empty and we get the wrong answer from sam2_process. ticket: 7862 target_version: 1.12.2 tags: pullup 
sam2_process accesses gak_data to get the password, so that it can do
string-to-key with the etype in the SAM-2 challenge.  When #7642
changed gic_pwd.c to use struct gak_password instead of krb5_data,
sam2_process wasn't altered to match.  We don't see a problem when the
password is read through the prompter (as with kinit), because the
password winds up in the storage field at the beginning of the
gak_password structure.  But when a password is supplied as a
parameter (as with ksu), the storage field is empty and we get the
wrong answer from sam2_process.

ticket: 7862
target_version: 1.12.2
tags: pullup
Make rcache resolve functions take const char * 2014-01-17T20:58:07+00:00 Greg Hudson ghudson@mit.edu 2014-01-15T17:31:41+00:00 74ff6c4accb68bd1d6c652c55e66519720db9fc4 






Get time offsets for all keyring ccaches
2014-01-17T16:27:29+00:00

Greg Hudson
ghudson@mit.edu

2014-01-16T22:48:54+00:00

e99c688913a7761c6adea9488ea9355f43539883

Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.

ticket: 7820
target_version: 1.12.2
tags: pullup





Move the time offset lookup from krb5_krcc_resolve to make_cache, so
that we fetch time offsets for caches created by
krb5_krcc_ptcursor_next.

ticket: 7820
target_version: 1.12.2
tags: pullup







Work around Linux session keyring write behavior
2014-01-10T05:56:24+00:00

Greg Hudson
ghudson@mit.edu

2014-01-09T05:18:44+00:00

0642afa544b00054048775d0b9796923bf018e22

If the session keyring matches the user session keyring, write
explicitly to the user session keyring.  Otherwise the kernel might
create a new session keyring for the process, making the resulting
cache collection invisible to other processes.

ticket: 7814
target_version: 1.12.1
tags: pullup





If the session keyring matches the user session keyring, write
explicitly to the user session keyring.  Otherwise the kernel might
create a new session keyring for the process, making the resulting
cache collection invisible to other processes.

ticket: 7814
target_version: 1.12.1
tags: pullup







make depend
2013-12-21T04:13:57+00:00

Greg Hudson
ghudson@mit.edu

2013-12-21T04:13:57+00:00

f5d5fa24c6c58b54349351beaea8220f5ca0f3ef












Avoid keyctl purge in keyring ccache tests
2013-12-21T04:10:03+00:00

Greg Hudson
ghudson@mit.edu

2013-12-20T20:19:06+00:00

94da4584645475272abec6259d1666e34bd59594

keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup





keyctl purge was added in keyutils 1.5 (released in March 2011).  Use
keyctl unlink to clean up keys instead, as it is more universal.

ticket: 7810
target_version: 1.12.1
tags: pullup







Set an error message when keyring get_princ fails
2013-12-21T04:10:03+00:00

Nalin Dahyabhai
nalin@dahyabhai.net

2013-12-05T18:54:09+00:00

c25fc42e8eac7350209df61e4a7b9960d17755ca

When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.

[ghudson: removed unnecessary check for d->name nullity.]

ticket: 7809
target_version: 1.12.1
tags: pullup





When attempting to use a keyring cache that doesn't exist, set an error
message when we fail to read a principal name, as we do when we return
the same error code when using a file ccache.

[ghudson: removed unnecessary check for d->name nullity.]

ticket: 7809
target_version: 1.12.1
tags: pullup