oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
29,600 Commits 2 Branches 2 Tags
a56c3ad8199c418a3e3458d3f433608043b65bed
Commit Graph

7 Commits

Author SHA1 Message Date
Luke Howard
a56c3ad819 krb5: fix prototype in pa_gss_finish() 
Fix merge issue that arose after merging another fix from the
lukeh/gss-preauth-apple branch.
 2021-08-18 08:17:04 +10:00
Luke Howard
386b8d328a kdc: refactor/improve error handling in GSS pa 2021-08-15 16:07:46 +10:00
Luke Howard
432fe0ad56 krb5: treat KRB5_NT_SRV_HST and KRB5_NT_SRV_INST identically 
Update previous commit, mapping KRB5_NT_SRV_HST as well as KRB5_NT_SRV_INST to
GSS_C_NT_HOSTBASED_SERVICE.
 2021-08-15 15:04:21 +10:00
Luke Howard
95d553e009 krb5: improve krb5 to GSS name conversion 
First attempt to import krb5 names as GSS_KRB5_NT_PRINCIPAL_NAME; if that
fails, choose the most appropriate name form based on Kerberos name type.
 2021-08-15 14:48:14 +10:00
Luke Howard
e840681451 krb5: try GSS_KRB5_NT_PRINCIPAL_NAME first for PA 
When importing a Kerberos name for GSS pre-auth, first try to import the name
as GSS_KRB5_NT_PRINCIPAL_NAME. If that fails, fall back to GSS_C_NT_USER_NAME.
 2021-08-15 09:54:45 +10:00
Luke Howard
f73f08eef1 kdc: ensure GSS-API pre-auth acceptor name is TGS 
The target (acceptor) name for GSS-API pre-authentication should be the name of
the TGS, not the server name in the AS-REQ, as it is the KDC which is being
mutually authenticated. If the client is not requesting a TGT, they may differ.
 2021-08-15 09:14:58 +10:00
Luke Howard
49f3f5bd99 kdc: support for GSS-API pre-authentication 
Add support for GSS-API pre-authentication to the KDC, using a simplified
variation of draft-perez-krb-wg-gss-preauth-02 that encodes GSS-API context
tokens directly in PADATA, and uses FX-COOKIE for state management.

More information on the protocol and implementation may be found in
lib/gssapi/preauth/README.md.
 2021-08-12 17:37:01 +10:00