diff options
| author | Sam Hartman <hartmans@mit.edu> | 2010-09-27 17:16:41 +0000 |
|---|---|---|
| committer | Sam Hartman <hartmans@mit.edu> | 2010-09-27 17:16:41 +0000 |
| commit | ada3888720a105825b91c4f6aee68ce66489264d (patch) | |
| tree | bf6fa81e93daf29fa021df02da0fa9dc48ec2d9e /src/include | |
| parent | 312b5a3b38c6df9b55fc1c3ac58abe8f9f590cea (diff) | |
| download | krb5-ada3888720a105825b91c4f6aee68ce66489264d.tar.gz krb5-ada3888720a105825b91c4f6aee68ce66489264d.tar.xz krb5-ada3888720a105825b91c4f6aee68ce66489264d.zip | |
kpasswd: if a credential cache is present, use FAST
If a credentials cache is available, use it as an armor cache to enable FAST negotiation for kpasswd. This requires an attacker to attack both the user's long-term key for the old password as well as the ticket used for the armor cache in order to attack the password change. Depending on how the armor ticket is obtained, this may provide limited value. However, it provides users an easy option if they are concerned about their current password. Users can kinit with one principal to help protect changing the password of another principal.
* krb5_get_init_creds_opt_set_fast_ccache: new API to set fast ccache based on a krb5_ccache object rather than a resolvable string
* kpasswd: always open the current credential cache even if not needed
for determining the principal. If the cache has tickets, use it as
an armor cache.
* tests/dejagnu/krb-standalone/kadmin.exp: Arrange to test new code path
ticket: 6786
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24359 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/include')
| -rw-r--r-- | src/include/krb5/krb5.hin | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index f49ef95e2..c81a0f21e 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -1434,6 +1434,11 @@ typedef struct _krb5_cccol_cursor *krb5_cccol_cursor; #define KRB5_TC_OPENCLOSE 0x00000001 #define KRB5_TC_NOTICKET 0x00000002 +/** Retrieve the name but not type of a credential cache @returns The name of + * the credential cache as an alias that should not be freed or modified by the + * caller. This name does not include the type portion, so cannot be used as + * input to krb5_cc_resolve(). + */ const char * KRB5_CALLCONV krb5_cc_get_name(krb5_context context, krb5_ccache cache); @@ -1484,6 +1489,9 @@ krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags); krb5_error_code KRB5_CALLCONV krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags *flags); +/** Retrive the type of a credential cache @returns The type of a credential + * cache as an alias that should not be modified or freed by the caller. + */ const char * KRB5_CALLCONV krb5_cc_get_type(krb5_context context, krb5_ccache cache); @@ -2329,6 +2337,15 @@ krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, krb5_get_init_creds_opt *opt, const char *fast_ccache_name); +/** Set the FAST ccache name as in + * krb5_get_init_creds_opt_set_fast_ccache_name() but using a krb5_ccache + * rather than a name + */ +krb5_error_code KRB5_CALLCONV +krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, + krb5_get_init_creds_opt *opt, + krb5_ccache fast_ccache_name); + /** * Set a ccache where resulting credentials will be stored. If set, then the * krb5_get_init_creds family of APIs will write out credentials to the given |