diff options
| author | Jeffrey Altman <jaltman@secure-endpoints.com> | 2003-12-12 22:22:36 +0000 |
|---|---|---|
| committer | Jeffrey Altman <jaltman@secure-endpoints.com> | 2003-12-12 22:22:36 +0000 |
| commit | 1024cce992605494dec0566a963efb1bdc0ff1d5 (patch) | |
| tree | 297fbeb92fb86d8bda2d0df38fb888fc30b6f13a /src/lib/ChangeLog | |
| parent | f76582cbba8012679b4fd04db4880f09e80988be (diff) | |
| download | krb5-1024cce992605494dec0566a963efb1bdc0ff1d5.tar.gz krb5-1024cce992605494dec0566a963efb1bdc0ff1d5.tar.xz krb5-1024cce992605494dec0566a963efb1bdc0ff1d5.zip | |
* Added new krb5_ccache type "MSLSA" for Windows only.
This new ccache type provides an interface for the MIT krb5_cc api
functions to be used to access the contents of the MS Kerberos LSA
cache. The ccache type is read-only because the MS Kerberos LSA
does not allow third party applications to insert credentials into
the cache.
The primary motivation of this work was to encapsulate the complex
operations necessary to manipulate the MS Kerberos LSA. The code
was far from trivial and was often implemented incorrectly. Worse
still was the fact that each version of Windows since W2K modified
the use of the LSA API.
The code which was originally donated in the form of ms2mit.c had
many memory and handle leaks which were acceptable for a one time
application such as ms2mit.c. Unfortunately, this code has started
to appear in many other applications: KfW's Leash, the AFS Wake
systray tool, and others.
By using the new MSLSA ccache the implementation of ms2mit.c went
from 890 lines to 50 lines of code and comments. All that is necessary
is for the MSLSA ccache to be resolved and for its contents to be
copied with krb5_cc_copy_creds to the default ccache.
The MSLSA ccache implements all of the functions of a ccache except
those which would be used to store data into the ccache. When a
write attempt is performed the new error KRB5_CC_READONLY is returned.
The residual portion of the MSLSA ccache name is current ignored
but preserved. If you ask for ccache "MSLSA:myname" you will be
given access to the LSA cache for the current Logon Session. If
you later ask for the name of the ccache you will be returned the
same name. In the future, the residual might be used to provide
information necessary to identify a specific logon session whose
cache it is desired to access. If this is ever done, the applications
which use it will have to possess the SeTcbPrivilege privilege.
Using KfW's Leash it is now possible to set the Krb5 credential
cache to "MSLSA:" and use it to monitor the contents of the
MS Kerberos LSA cache.
As part of adding this functionality, krb5_32.dll is not linked
against the "secur32.lib" library as the Lsa security sdk routines
are stored in the SECUR32.DLL file.
ticket: 2049
target_version: 1.3.2
tags: pullup
git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15886 dc483132-0cff-0310-8789-dd5450dbe970
Diffstat (limited to 'src/lib/ChangeLog')
| -rw-r--r-- | src/lib/ChangeLog | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/lib/ChangeLog b/src/lib/ChangeLog index 6e3b19467..c6777db66 100644 --- a/src/lib/ChangeLog +++ b/src/lib/ChangeLog @@ -1,3 +1,8 @@ +2003-12-11 Jeffrey Altman <jaltman@mit.edu> + + * Makefile.in: Add secur32.lib to libraries necessary to build + krb5_32.dll. Necessary to support the new MSLSA ccache type. + 2003-12-08 Jeffrey Altman <jaltman@mit.edu> * krb4_32.def: Add exports for functions exported by KfM |