From ada3888720a105825b91c4f6aee68ce66489264d Mon Sep 17 00:00:00 2001 From: Sam Hartman Date: Mon, 27 Sep 2010 17:16:41 +0000 Subject: kpasswd: if a credential cache is present, use FAST If a credentials cache is available, use it as an armor cache to enable FAST negotiation for kpasswd. This requires an attacker to attack both the user's long-term key for the old password as well as the ticket used for the armor cache in order to attack the password change. Depending on how the armor ticket is obtained, this may provide limited value. However, it provides users an easy option if they are concerned about their current password. Users can kinit with one principal to help protect changing the password of another principal. * krb5_get_init_creds_opt_set_fast_ccache: new API to set fast ccache based on a krb5_ccache object rather than a resolvable string * kpasswd: always open the current credential cache even if not needed for determining the principal. If the cache has tickets, use it as an armor cache. * tests/dejagnu/krb-standalone/kadmin.exp: Arrange to test new code path ticket: 6786 git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24359 dc483132-0cff-0310-8789-dd5450dbe970 --- src/tests/dejagnu/krb-standalone/kadmin.exp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/tests') diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp index 1eac9e339..1822bc38a 100644 --- a/src/tests/dejagnu/krb-standalone/kadmin.exp +++ b/src/tests/dejagnu/krb-standalone/kadmin.exp @@ -996,10 +996,11 @@ proc kadmin_test { } { } # now test that we can kinit with principals/passwords. + # We defer kdestroying until after kpasswd at least once to test FAST automatic use in kpasswd if {![kadmin_add testprinc1/instance thisisatest] \ || ![kinit testprinc1/instance thisisatest 0] \ - || ![kdestroy] \ || ![kpasswd_cpw testprinc1/instance thisisatest anothertest] \ + || ![kdestroy] \ || ![kinit testprinc1/instance anothertest 0] \ || ![kdestroy] \ || ![kpasswd_cpw testprinc1/instance anothertest goredsox] \ -- cgit