oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Optional backwards-compatible anon-pkinit behaviour

Browse Source 
* Anonymous pkinit responses from the KDC where the name
  type is not well-known (as issued by 7.5 KDCs and earlier)
  are accepted by the client.  There is no need for the client
  to strictly enforce the name type.

* With historical_anon_pkinit = true, the kinit(1) client's
  "--anonymous" option only performs anon pkinit, and does
  not require an '@' prefix for the realm argument.

* With historical_anon_realm = true, the KDC issues anon
  pkinit tickets with the legacy pre-7.0 "real" realm.
This commit is contained in:
Viktor Dukhovni
2019-07-14 23:02:57 -04:00
committed by Viktor Dukhovni
parent f40d393c83
commit fae8df3839
11 changed files with 141 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/krb5/krb5.h
View File

@@ -960,8 +960,11 @@ typedef struct krb5_name_canon_iterator_data *krb5_name_canon_iterator;
*/
#define KRB5_ANON_MATCH_AUTHENTICATED 1 /* authenticated with anon flag */
#define KRB5_ANON_MATCH_UNAUTHENTICATED 2 /* anonymous PKINIT */
#define KRB5_ANON_MATCH_ANY ( KRB5_ANON_MATCH_AUTHENTICATED | KRB5_ANON_MATCH_UNAUTHENTICATED )
#define KRB5_ANON_IGNORE_NAME_TYPE 4 /* don't check the name type */
#define KRB5_ANON_MATCH_ANY ( KRB5_ANON_MATCH_AUTHENTICATED | \
KRB5_ANON_MATCH_UNAUTHENTICATED )
#define KRB5_ANON_MATCH_ANY_NONT ( KRB5_ANON_MATCH_ANY | \
KRB5_ANON_IGNORE_NAME_TYPE )
/*
*