oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: add auth data type for synthetic principals

Browse Source 
Add a new authorization data type to indicate a synthetic principal was used,
to allow synthetic clients acquired outside of PKINIT (e.g. with GSS-API
pre-authentication) to use the TGS.

Note: we continue to honor KRB5_AUTHDATA_INITIAL_VERIFIED_CAS to indicate that
it is OK for the client to be synthetic, even though it is only an indication
that the client *may* have been synthetic.
This commit is contained in:
Luke Howard
2021-12-18 14:54:13 +11:00
parent 23d96d822f
commit e7588952ce
3 changed files with 50 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
lib/asn1/krb5.asn1
View File

@@ -215,6 +215,7 @@ AUTHDATA-TYPE ::= INTEGER {
KRB5-AUTHDATA-SIGNTICKET-OLDER(-17),
KRB5-AUTHDATA-SIGNTICKET-OLD(142),
KRB5-AUTHDATA-SIGNTICKET(512),
KRB5-AUTHDATA-SYNTHETIC-PRINC-USED(513), -- principal was synthetised
KRB5-AUTHDATA-AP-OPTIONS(143),
-- N.B. these assignments have not been confirmed yet.
--