From eeefea9966e50bf16af6e2df9e8b74d892598bef Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 17 Mar 2003 01:03:11 +0000 Subject: Disable krb4 cross-realm in krb524d and krb5kdc. Provide an option to reenable (-X) which prints a warning that you are creating a security hole. Remove support for generating krb4 tickets encrypted using 3DES service keys as it is insecure. They are still accepted however. The KDc is much more strict about accepting only tickets that it would have issued in the current configuration. In particular if the KDC would choose some enctype for writing a TGT, other enctypes will not be accepted when using a TGT. Ticket: 1385 Target_Version: 1.3 Tags: pullup git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@15286 dc483132-0cff-0310-8789-dd5450dbe970 --- src/lib/kdb/ChangeLog | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'src/lib/kdb/ChangeLog') diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog index d685be6d9..4592b4c19 100644 --- a/src/lib/kdb/ChangeLog +++ b/src/lib/kdb/ChangeLog @@ -1,3 +1,11 @@ +2003-03-16 Sam Hartman + + * keytab.c (krb5_ktkdb_get_entry): Match only against the first + enctype for non-cross-realm tickets so we will only accept + tickets that the current configuration would have issued. For + cross-realm tickets be liberal and match against the specified + enctype. + 2003-03-05 Tom Yu * kdb_xdr.c (krb5_dbe_search_enctype): Check for ktype > 0 rather -- cgit