oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
28,871 Commits 2 Branches 2 Tags
a2db5caebfb2bf05cd6ec526b5ad94e3a33c4dd6
Commit Graph

33 Commits

Author SHA1 Message Date
Luke Howard
6bb8eaca20 hdb: dereference principal aliases in all KDC lookups (#452) 
e11abf41 added support in libhdb for always dereferencing principal aliases
during an AS-REQ (where dereferencing refers to enabling alias lookups, and
rewriting the returned entry with the alias name unless canonicalization was
enabled).

Due to the KDC setting HDB_F_FOR_AS_REQ for all lookups from the AS, this
allowed aliases on the TGS itself to be dereferenced during an AS-REQ; however,
on presenting the TGT, the TGS would fail to resolve. Creating an explicit TGS
principal for the aliased realm would work (at least prior to c555ed6a), but
this could be confusing to deploy.

This commit changes enables alias dereferencing when HDB_F_GET_ANY is set,
which essentially means dereference whenever the request is coming from the KDC
(as opposed to, say, kadmin).

We also backout c555ed6a, which changed the TGS to always canonicalize the
server realm, as this breaks serving multiple realms from a single KDC, where
server principals in different realms share a single canonical entry.
HDB_F_CANON is now passed to the backend as a hint only, and per RFC 6806 the
principal name is never changed in TGS replies. (However, for Samba interop,
backends can override this by setting the force-canonicalize HDB flag.)
 2019-01-05 14:01:26 +11:00
Roland C. Dowdeswell
0da84c0c3a Add require-pwchange flag to HDB and honour it if present in mit-db:. 2012-02-27 10:19:54 +00:00
Nicolas Williams
19d378f44d Add 64-bit integer support to ASN.1 compiler 
ASN.1 INTEGERs will now compile to C int64_t or uint64_t, depending
    on whether the constraint ranges include numbers that cannot be
    represented in 32-bit ints and whether they include negative
    numbers.

    Template backend support included.  check-template is now built with
    --template, so we know we're testing it.

    Tests included.
 2011-12-12 20:01:20 -06:00
Nicolas Williams
1eb56edd86 Introduce Keys ::= SEQUENCE OF Key in hdb.asn1 so we can get convenience utils. 2011-07-22 16:07:08 -05:00
Nicolas Williams
0674e4b13a Ooops! Mind those tags when re-ordering ASN.1 SEQUENCEs! (hdb_keyset) 2011-07-22 16:07:05 -05:00
Nicolas Williams
53ea8ac59b Make changes to hdb_keyset type be backward-compatible. 2011-07-22 16:06:01 -05:00
Nicolas Williams
355ae357eb Moved set_time field of hdb_keyset to end and add extensibility marker. 2011-07-22 16:06:01 -05:00
Nicolas Williams
c2ec368c36 Add HDB extension for storing policy regarding what historic keys may be used for 2011-07-22 16:06:00 -05:00
Nicolas Williams
a04721b737 Added basic policy support, w/ policy names listed in krb5.conf 2011-07-22 16:05:21 -05:00
Nicolas Williams
34189a23fe Added a flag to ensure that we don't mod/store hdb entries fetched with specified kvno. 2011-07-22 16:04:51 -05:00
Nicolas Williams
a095933ee0 We want the time that a keyset was set, not the time it was replaced. 2011-07-22 16:04:51 -05:00
Nicolas Williams
fca53990e4 Initial commit for second approach for multiple kvno. NOT TESTED! 2011-07-22 16:04:51 -05:00
Love Hörnquist Åstrand
f65f1f26ef add HDBFlags: locked-out 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25297 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-07-03 04:25:01 +00:00
Love Hörnquist Åstrand
15d6e41dea add pkinit-cert 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24980 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-03-29 09:01:25 +00:00
Love Hörnquist Åstrand
95f39b1cc0 add hdb_keyset and opaque 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24903 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-03-22 17:20:37 +00:00
Love Hörnquist Åstrand
9f106cf20a add simple alias support to the database backends 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20236 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-02-16 23:52:29 +00:00
Love Hörnquist Åstrand
db091f2134 (HDBFlags): Add allow-digest 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17925 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-08-24 10:45:19 +00:00
Love Hörnquist Åstrand
c0c59a96f2 Rename HDB-Ext-PKINIT-certificate to HDB-Ext-PKINIT-hash. 
Add trust anchor to HDB-Ext-PKINIT-acl.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17829 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-07-13 18:22:22 +00:00
Love Hörnquist Åstrand
ce2f8d406f (HDBFlags): Add allow-kerberos4 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17648 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-14 18:28:14 +00:00
Love Hörnquist Åstrand
f90b31406f (HDBFlags): add trusted-for-delegation 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17614 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-06 14:53:23 +00:00
Love Hörnquist Åstrand
90f0c3cff0 Add support for HDB-extension. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15875 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2005-08-11 13:15:44 +00:00
Love Hörnquist Åstrand
9fd91474ad use constrained integers 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@14344 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2004-11-10 18:50:27 +00:00
Love Hörnquist Åstrand
708a148e91 remove enforce-transited-policy, its no longer used 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13224 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2003-12-16 16:53:37 +00:00
Johan Danielsson
cf7d2c2fb1 add flag to enforce transited policy 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@13035 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2003-10-21 11:09:59 +00:00
Johan Danielsson
4c1667b6be add generation number 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@10162 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2001-06-21 14:56:29 +00:00
Johan Danielsson
791745e94d use new import syntax 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@8399 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2000-06-19 15:22:22 +00:00
Johan Danielsson
0db75ae2dd make mkvno optional, update version to 2 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@6086 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1999-05-03 16:48:52 +00:00
Johan Danielsson
9799799e42 Add list of etypes to hdb_entry. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4724 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1998-04-05 05:20:22 +00:00
Johan Danielsson
3c04febb46 Add some more flags. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@4644 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1998-03-21 23:46:44 +00:00
Johan Danielsson
0305bed653 Include salt type in salt. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@3317 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1997-08-31 19:30:29 +00:00
Johan Danielsson
14f6dc9063 Version number. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@3168 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1997-08-26 22:27:09 +00:00
Assar Westerlund
ef61ce3ee6 new flags require_preauth' and change_pw' 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2680 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1997-08-01 15:29:54 +00:00
Johan Danielsson
9a16c79d62 Database definitions. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@2513 ec53bebd-3082-4978-b11e-865c3cabbd6b
 1997-07-23 02:04:14 +00:00