| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Make kdc_active_realm a local variable in every function that needs
it. Pass it around in various state structures as needed. Keep the
macros that reference its members remain for now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Adds a principal string attribute named "session_enctypes" which can
specify what enctypes the principal supports for session keys. (For
what it's worth, this actually allows one to list des-cbc-md5 as a
supported session key enctype, though obviously this hardly matters
now.)
Add a [realms] section parameter for specifying whether to assume that
principals (which lack the session_enctypes attribute) support
des-cbc-crc for session keys. This allows those who still need to use
allow_weak_crypto=true, for whatever reason, to start reducing the
number of tickets issued with des-cbc-crc session keys to clients
which still give des-cbc-crc preference in their default_tgs_enctypes
list.
[ghudson@mit.edu: Miscellaneous edits, cleanups, and fixes; refactored
test script; documented session_enctypes attribute]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
r24314 (#6778) created a hybrid owernship model for the master key
list, with one virtual copy stored in the DAL handle and one provided
to the caller of krb5_db_fetch_mkey_list. Replace this with a model
where only the DAL handle owns the list, and a caller can get access
to an alias pointer with a new function krb5_db_mkey_list_alias().
Functions which previously accepted the master key list as an input
parameter now expect to find it in the DAL handle.
Patch by Will Fiveash <will.fiveash@oracle.com>.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@25781 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
and license comments.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24695 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Implement a new realm flag to reject ticket requests from anonymous
principals to any principal other than the local TGT. Allows FAST to
be deployed using anonymous tickets as armor in realms where the set
of authenticatable users must be constrained.
ticket: 6829
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24547 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now that SAM1 support has been removed, the KDC does not need a replay
replay cache. Remove all code within USE_RCACHE and associated support.
Rename --disable-kdc-replay-cache to --disable-kdc-lookaside-cache.
ticket: 6804
target_version: 1.9
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24464 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23968 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
Re-integrates the forked versions of network.c in kdc and
kadmin/server. Server-specific initialization and SIGHUP-reset code
is moved into other source files; the more generic network-servicing
code is merged and moved into apputils library already used by both
programs.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23811 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
that uses it. This removes a warning of shadowed variable names. Change
several functions to static when limited to main.c
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23563 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
make reindent
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@23100 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
conditionals, based on a variable initialized based on the
compile-time conditional (but probably eventually set from the config
file or command line).
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22569 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
.
r22530@squish: raeburn | 2009-08-12 13:55:57 -0400
Change KRBCONF_KDC_MODIFIES_KDB to a mostly run-time option.
Change all code conditionals to test a new global variable, the
initial value of which is based on KRBCONF_KDC_MODIFIES_KDB. There is
currently no way to alter the value from the command line; that will
presumably be desired later.
Change initialize_realms to store db_args in a global variable. In
process_as_req, call db_open instead of the old set_name + init.
Don't reopen if an error is reported by krb5_db_fini.
Add a test of running kinit with an incorrect password, to trigger a
kdb update if enabled.
r22531@squish: raeburn | 2009-08-12 13:58:13 -0400
Fix trailing whitespace.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@22518 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit for the Master Key Migration Project.
http://k5wiki.kerberos.org/wiki/Projects/Master_Key_Migration
This commit provides the ability to add a new master key (with an
enctype differing from the current master key) to the master key
principal and stash file and then migrate the encryption of existing
principals long term keys to use the new master key. In addition
deletion of master keys is provided.
ticket: 6354
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21844 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
implementing minimal referral support in the KDC
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21792 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The mskrb-integ branch includes support for the following projects:
Projects/Aliases
* Projects/PAC and principal APIs
* Projects/AEAD encryption API
* Projects/GSSAPI DCE
* Projects/RFC 3244
In addition, it includes support for enctype negotiation, and a variety of GSS-API extensions.
In the KDC it includes support for protocol transition, constrained delegation
and a new authorization data interface.
The old authorization data interface is also supported.
This commit merges the mskrb-integ branch on to the trunk.
Additional review and testing is required.
Merge commit 'mskrb-integ' into trunk
ticket: new
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@21690 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@19543 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
| |
ticket: 1553
target_version: 1.3
status: open
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15544 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
config file entries to indicate port numbers.
Checkpointing a working version; debug code needs cleanup, doc needs writing.
ticket: 1175
status: open
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14885 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
transit path checking enforcement for kdc; supporting code, doc update
[merged from 1.2.3 release branch]
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13758 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
| |
except perhaps for a client talking to both a new and old KDC? Several
improvements to guard against replay attacks when hardware preauth is in use,
though they require re-enabling the USE_RCACHE code, which I haven't done yet.
Several changes of mine for silencing a few compiler warnings, and adding some
debugging log messages while I track what's going on with the preauth code.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@12010 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11853 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@11001 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
| |
reopening its log files, so that logfile management utilities
may now compress old logs and then kill -HUP the KDC process
to get them to use fresh log files.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10627 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
| |
should be associated with a krb5_db_context which will
make having a krb5_context unnecessary in the realm context.
* kdc_util.c kdc_process_tgs_req(): Use the realm keytab instead
of faking up a user-to-user key to pass to krb5_rd_req_decode().
* main.c: Added code to use the new database keytab routines.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7200 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
main.c (initialize_realms): Massive revamp of how the network ports
are setup. The default port list for a realm is read from
[kdcdefaults]/kdc_ports from the kdc.conf file. For each realm, a
list of ports can be specified in [realms]/<realm>/kdc_ports.
extern.h (kdc_realm_t): Remove realm_pport and realm_sport, and added
realm_ports.
do_tgs_req.c (process_tgs_req):
do_as_req.c (process_as_req):
dispatch.c (dispatch): Pass the portnumber of the incoming request down
to process_as_req and process_tgs_req, instead of the boolean
"is_secondary".
kerberos_v4.c (kerb_get_principal, kerberos_v4): Fix gcc -Wall flames,
by fixing signed vs. unsigned types.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6937 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6527 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6287 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@6137 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@5031 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
|
| |
command line. If the appropriate /etc/services entries aren't found,
use compiled in defaults.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4851 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
Added krb5_context to all krb5_*() routines.
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4815 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@4190 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
to "may require..."
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2638 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2367 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@2156 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1684 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1680 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1392 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@1308 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@945 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
remove krb5_des_cs_entry; it's properly declared in <krb5/des.h>
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@569 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
|
|
| |
add signal_requests_exit, dbm_db_name
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@313 dc483132-0cff-0310-8789-dd5450dbe970
|
|
|
|
| |
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@288 dc483132-0cff-0310-8789-dd5450dbe970
|
|
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@255 dc483132-0cff-0310-8789-dd5450dbe970
|