diff options
| author | Greg Hudson <ghudson@mit.edu> | 2011-02-16 23:34:37 +0000 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2011-02-16 23:34:37 +0000 |
| commit | 76ebe5d07c1002b674eb1c4e3ab35f6001eec91c (patch) | |
| tree | d35c0e3155a3f71a9b9d814663754974b4108933 /src/include | |
| parent | 6d931b7ce12ea2082b0f2fdb53c6b43fed93cfb2 (diff) | |
| download | krb5-76ebe5d07c1002b674eb1c4e3ab35f6001eec91c.tar.gz krb5-76ebe5d07c1002b674eb1c4e3ab35f6001eec91c.tar.xz krb5-76ebe5d07c1002b674eb1c4e3ab35f6001eec91c.zip | |
Don't reject AP-REQs based on PACs
Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket. We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket. If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.
ticket: 6870
target_version: 1.9.1
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24640 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/k5-trace.h | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index 0df77fc19..96a6acf5f 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -197,9 +197,8 @@ TRACE(c, (c, "Negotiating for enctypes in authenticator: {etypes}", \ etypes)) -#define TRACE_MSPAC_NOSRVCKSUM(c) \ - TRACE(c, (c, "MS PAC lacks a server checksum. "\ - "Apple Open Directory bug?")) +#define TRACE_MSPAC_VERIFY_FAIL(c, err) \ + TRACE(c, (c, "PAC checksum verification failed: {kerr}", err)) #define TRACE_MSPAC_DISCARD_UNVERF(c) \ TRACE(c, (c, "Filtering out unverified MS PAC")) |