oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
29,456 Commits 2 Branches 2 Tags
c74c57a143125ea1332697a6a20b66f6d2a0cdd6
Commit Graph

29 Commits

Author SHA1 Message Date
Nicolas Williams
a684e001ba gsskrb5: Check dst-TGT pokicy at store time 
Our initiator supports configuration-driven delegation of destination
TGTs.

This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.

Currently we use the same appdefault for this.

Background:

    A root TGT is one of the form krbtgt/REALM@SAME-REALM.

    A destination TGT is a root TGT for the same realm as the acceptor
    service's realm.

    Normally clients delegate a root TGT for the client's realm.

    In some deployments clients may want to delegate destination TGTs as
    a form of constrained delegation: so that the destination service
    cannot use the delegated credential to impersonate the client
    principal to services in its home realm (due to KDC lineage/transit
    checks).  In those deployments there may not even be a route back to
    the KDCs of the client's realm, and attempting to use a
    non-destination TGT might even lead to timeouts.
 2020-07-09 13:27:11 -05:00
Nico Williams
1243ea6a9a Merge pull request #711 from nicowilliams/master 
Fix gss_krb5_copy_ccache() (broken by MEM:anon)
 2020-05-13 21:57:25 -05:00
Luke Howard
33137a8c82 gss: allow source/target to be null on export/import 
Allow the source and target names to be NULL when exporting or importing a
security context for the krb5 mechanism. This will be used in the future to
support skeletal contexts that only provide RFC4121 message protection
services.
 2020-04-16 15:20:10 +10:00
Luke Howard
2c8fa27224 gss: use _gss_secure_release_buffer_[set] 
Use new helper APIs for securely zeroing and releasing buffers and buffer sets.
 2020-04-15 16:23:17 +10:00
Daria Phoebe Brashear
b12e01035c gss: _locl.h files should include local copy of -private.h files 
apparently some versions of heimdal installed mech private headers.
don't inadvertantly end up with it in your path from a previous version
 2018-04-19 13:12:59 -04:00
Nicolas Williams
20c1e6c9ef Rename context handle lifetime to endtime 2015-04-14 11:27:25 -05:00
Viktor Dukhovni
dee03d9bee Rename cred handle lifetime to endtime 
And change type from OM_uint32 to time_t.
 2015-04-14 11:27:25 -05:00
Viktor Dukhovni
cfdf6d5cbe gsskrb5: Make krb5 mech use referrals 
Modify the gss krb5 mech to always use referrals unless the
KRB5_NCRO_NO_REFERRALS flag is set.

Change-Id: I7efd873ac922a43adafa2c492703b576847a885f
 2015-03-14 16:08:32 -04:00
Andrew Bartlett
5cc4d5d2bd heimdal Use a seperate krb5_auth_context for the delegated credentials 
This makes it much more clear that the timestamp written here is not
used in mutual authentication.

Andrew Bartlett

Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
 2010-10-02 20:47:12 -07:00
Love Hornquist Astrand
914417c5c8 Remove unused structure 2009-09-19 13:55:34 -07:00
Love Hörnquist Åstrand
269a7a057b flatten include headers 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24382 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2009-01-25 00:35:00 +00:00
Love Hörnquist Åstrand
9586101a49 use the krb5_crypto directly, skipping some per packet calculation, make cfx handling simpler 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24067 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-11 04:52:10 +00:00
Love Hörnquist Åstrand
d4f5c19c1d make IS_CFX a more_flag 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24057 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-12-11 04:50:22 +00:00
Love Hörnquist Åstrand
6937d41a02 remove trailing whitespace 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23815 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 09:21:03 +00:00
Love Hörnquist Åstrand
e172367898 switch to utf8 encoding of all files 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23814 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-09-13 08:53:55 +00:00
Love Hörnquist Åstrand
227aca963e Avoid dns canonlisation for hosts, until we know what client credential we are going to use, and when we know that, lets check if the user really want to use canonlision, XXX should be able to configure per target realm too 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23678 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-08-25 02:34:24 +00:00
Love Hörnquist Åstrand
6fcc601db9 update (c) 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23435 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 20:49:35 +00:00
Love Hörnquist Åstrand
39fe446983 Support parsing KRB-ERROR passed back from windows server when the time is out of sync, modify krb5_cc_[sg]et_config interface to handle principals too, add tests for this 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@23420 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-07-26 18:37:48 +00:00
Love Hörnquist Åstrand
27a3ca100e Add flag to not add gss-api INT|CONF to the negotiation 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22655 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2008-02-26 12:40:35 +00:00
Love Hörnquist Åstrand
2994c5a57a (gsskrb5_cred): add list of supported enctypes. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@20324 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2007-04-12 16:46:01 +00:00
Love Hörnquist Åstrand
00bcd44370 Switch from using a specific error message context in the TLS to have 
a whole krb5_context in TLS. This have some interestion side-effekts
for the configruration setting options since they operate on
per-thread basis now.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@19031 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-11-13 18:02:57 +00:00
Love Hörnquist Åstrand
edbd07c470 Include <gkrb5_err.h>. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18972 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-11-10 00:36:40 +00:00
Love Hörnquist Åstrand
893d903659 Add IS_DCE_STYLE macro. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18935 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-11-07 17:57:43 +00:00
Love Hörnquist Åstrand
dfa6f7b248 reference all include files using krb5/ 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18334 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-10-07 22:16:04 +00:00
Love Hörnquist Åstrand
0ecd7e58ad move the arcfour specific stuff to the arcfour header. 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18171 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-09-25 20:45:00 +00:00
Love Hörnquist Åstrand
226ba0b6cd merge most of the initiator part from the samba patch by Stefan Metzmacher and Andrew Bartlet (still missing DCE/RPC support) 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@18147 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-09-22 10:41:31 +00:00
Love Hörnquist Åstrand
6fc08c2f0a Remove dup prototype of _gsskrb5_init() 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17852 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-07-20 03:53:31 +00:00
Love Hörnquist Åstrand
03567db502 make gss_name_t an opaque type 
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17736 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-29 07:27:26 +00:00
Love Hörnquist Åstrand
ee09f98c15 Rename local include file, remove global files. 
Stop exposing global gssapi symbols.
Rename gss_context_id_t and gss_cred_id_t to local names.
Remove SPNEGO code, its now in its own gssapi module.
Add mechglue inquire functions.


git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@17697 ec53bebd-3082-4978-b11e-865c3cabbd6b
 2006-06-28 08:54:04 +00:00