oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Initial patch to add as-use-strongest-session-key and same for tgs krb5.conf parameters for the KDC. These control the session key enctype selection algorithm for the AS and TGS respectively: if TRUE then they prefer the strongest enctype supported by the client, the KDC and the target principal, else they prefer the first enctype fromt he client's list that is also supported by the KDC and the target principal.

Browse Source 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Nicolas Williams
2011-04-06 00:44:44 -05:00
committed by Love Hörnquist Åstrand
parent ec35b8d4a2
commit a7a8a7e95c
7 changed files with 154 additions and 69 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
lib/krb5/context.c
View File

@@ -128,6 +128,24 @@ init_context_from_config_file(krb5_context context)
free(context->etypes_des);
context->etypes_des = tmptypes;
ret = set_etypes (context, "default_as_etypes", &tmptypes);
if(ret)
return ret;
free(context->as_etypes);
context->as_etypes = tmptypes;
ret = set_etypes (context, "default_tgs_etypes", &tmptypes);
if(ret)
return ret;
free(context->tgs_etypes);
context->tgs_etypes = tmptypes;
ret = set_etypes (context, "permitted_enctypes", &tmptypes);
if(ret)
return ret;
free(context->permitted_enctypes);
context->permitted_enctypes = tmptypes;
/* default keytab name */
tmp = NULL;
if(!issuid())

9
lib/krb5/krb5.conf.5
View File

@@ -405,6 +405,15 @@ Default is the same as
Should the kdc answer kdc-requests over http.
.It Li enable-kaserver = Va BOOL
If this kdc should emulate the AFS kaserver.
.It Li as-use-strongest-session-key = Va BOOL
If this is TRUE then the KDC will prefer the strongest key from the
client's AS-REQ enctype list, that is also supported by the KDC and the
target principal, for the ticket session key. Else it will prefer the
first key from the client's AS-REQ enctype list that is also supported
by the KDC and the target principal. Defaults to TRUE.
.It Li tgs-use-strongest-session-key = Va BOOL
Like as-use-strongest-session-key, but applies to the session key
enctype of tickets issued by the TGS. Defaults to TRUE.
.It Li check-ticket-addresses = Va BOOL
Verify the addresses in the tickets used in tgs requests.
.\" XXX

7
lib/krb5/krb5_locl.h
View File

@@ -246,9 +246,14 @@ struct _krb5_get_init_creds_opt_private {
} lr;
};
typedef uint32_t krb5_enctype_set;
typedef struct krb5_context_data {
krb5_enctype *etypes;
krb5_enctype *etypes_des;
krb5_enctype *etypes_des;/* deprecated */
krb5_enctype *as_etypes;
krb5_enctype *tgs_etypes;
krb5_enctype *permitted_enctypes;
char **default_realms;
time_t max_skew;
time_t kdc_timeout;