oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Optional backwards-compatible anon-pkinit behaviour

Browse Source 
* Anonymous pkinit responses from the KDC where the name
  type is not well-known (as issued by 7.5 KDCs and earlier)
  are accepted by the client.  There is no need for the client
  to strictly enforce the name type.

* With historical_anon_pkinit = true, the kinit(1) client's
  "--anonymous" option only performs anon pkinit, and does
  not require an '@' prefix for the realm argument.

* With historical_anon_realm = true, the KDC issues anon
  pkinit tickets with the legacy pre-7.0 "real" realm.
This commit is contained in:
Viktor Dukhovni
2019-07-14 23:02:57 -04:00
committed by Viktor Dukhovni
parent f40d393c83
commit fae8df3839
11 changed files with 141 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
kdc/kdc.h
View File

@@ -69,6 +69,7 @@ typedef struct krb5_kdc_configuration {
krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous;
krb5_boolean historical_anon_realm;
krb5_boolean strict_nametypes;
enum krb5_kdc_trpolicy trpolicy;