839b073fac
tgs-req: strip forwardable and proxiable if the server is disallowed
2020-02-11 02:49:36 -05:00
77b480d2a0
CVE-2019-14870: Validate client attributes in protocol-transition
...
Signed-off-by: Isaac Boukris <iboukris@gmail.com >
2019-12-10 05:24:02 -05:00
013210d1eb
CVE-2019-14870: Apply forwardable policy in protocol-transition
...
Signed-off-by: Isaac Boukris <iboukris@gmail.com >
2019-12-10 05:24:02 -05:00
51415eaaae
CVE-2019-14870: Always lookup impersonate client in DB
...
Signed-off-by: Isaac Boukris <iboukris@gmail.com >
2019-12-10 05:24:02 -05:00
d89b5cb966
kuser: allow kinit to renew anonymous PKINIT tickets
...
Anonymous PKINIT tickets discard the realm information used to locate the
issuing AS. Store the issuing realm in the credentials cache in order to locate
a KDC which can renew them.
2019-05-21 16:00:20 +10:00
b7fe0fb85a
kdc: allow checksum of PA-FOR-USER to be HMAC_MD5
...
even if tgt used an enctype with a different checksum.
Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always
HMAC_MD5, and that's what Windows and MIT clients send.
In heimdal both the client and kdc use instead the
checksum of the tgt, and therefore work with each other
but windows and MIT clients fail against heimdal KDC.
Both Windows and MIT KDC would allow any keyed checksum
to be used so Heimdal client work fine against it.
Change Heimdal KDC to allow HMAC_MD5 even for non RC4
based tgt in order to support per-spec clients.
Signed-off-by: Isaac Boukris <iboukris@gmail.com >
2019-05-18 22:33:48 -04:00
3051db0d5d
kuser: support authenticated anonymous AS-REQs in kinit
...
Allow kinit to request anonymous tickets with authenticated clients, not just
anonymous PKINIT.
2019-05-14 15:16:19 -04:00
9de0cd8f7e
tests: fix kadmin5 wrapper from repeating flags
...
Signed-off-by: Isaac Boukris <iboukris@gmail.com >
2018-12-14 16:59:44 -06:00
b1e699103f
Fix transit path validation CVE-2017-6594
...
Commit f469fc6
2017-04-13 18:06:39 -05:00
7c16ce3457
Minor typo/grammar fixes
2017-03-10 15:47:43 -05:00
2027aa11ed
Use --detach in tests to avoid waiting
2016-12-07 19:52:29 -06:00
4b4036c9a6
Implement hierarchical referrals
2016-08-08 16:29:29 -05:00
960fa481be
Add test for incorrect password
...
Signed-off-by: Andrew Bartlett <abartlet@samba.org >
2015-06-17 17:41:25 -05:00
d9e3e376a3
tests: Add simple key history test for kdc
...
Use kadmin cpw with the --keepold parameter to create a history list.
Change-Id: I21811c840be0bd1b8dd8dc66e63f88f8da6fac7e
2015-03-14 16:08:23 -04:00
a84b572747
resurrect password change support again
2014-08-22 20:19:36 -07:00
10f3c8b56e
add possible to set rules on what enctypes to use based on glob matching on principal
2013-10-18 10:01:55 +02:00
4ebfd6b818
make sure logs are truncated
2012-10-07 11:11:17 -07:00
ca6a22276e
Test that we copy forwardable/renewable flags from TGT in TGS-REQ
2012-03-14 23:58:40 -05:00
a8c51aa594
add basic sqlite tests (from Nico)
2012-02-29 08:32:57 -08:00
47f60928bc
Some more [capaths] testing
2012-02-07 14:02:24 -06:00
124eccf014
Make this work with kvno 0 and no kvno
2011-11-15 21:53:34 -06:00
38f726d8b4
Fix bug in key rollover code in TGS, make check-kdc test what we can
...
We can't test the key rollover support in the TGS in the x-realm
path using just Heimdal because the krb5_get_creds() path will try a
referral, which will produce a cross-realm TGT that has the
enc_part.kvno set. But we can test this for the plain TGT case.
2011-11-15 21:53:34 -06:00
349609ed20
Initial test of x-realm TGT w/ kvno 0 and key rollover
...
NOTE: The test runs and succeeds, but the client seems to be getting
a new x-realm TGT after we set the kvno to 0 or remove the
kvno from the tickets. This means we're not really testing
the TGS paths! So this test is not yet ready.
2011-11-15 21:53:34 -06:00
f06e684ece
recover lost check-kdc.in
2011-10-28 20:03:20 -07:00
1a1bd736c0
merge support for FAST in as-req codepath
2011-10-28 19:25:48 -07:00
d64eb50f72
filter out kvno
2011-09-25 16:44:49 +02:00
4f3d3723f4
fail if kinit failes
2011-07-24 20:24:36 -07:00
1edc2cee45
Test multi-kvno support in kadmin and KDC (part 1).
2011-07-22 16:07:10 -05:00
93d3d14827
test HTTP transport
2010-06-02 08:30:29 -07:00
86da42df1d
abstract out --no-afslog and --no-unlog
2010-06-01 14:42:16 -07:00
2c70285d3d
more up ${env_setup}
2009-12-17 10:05:10 +01:00
72908828b1
remove $Id$
2009-09-21 10:36:37 -07:00
6683a553f2
externlize env-setup
2009-09-06 23:16:03 -07:00
fb811a8ef9
drop srcdir, not used
2009-09-06 18:49:00 -07:00
45cb91dde2
switch to mostly configuration in setup-env for check-kdc
2009-09-06 18:38:23 -07:00
20001366aa
Better support for kinit -k when client have subset of enctypes compared to KDC
...
Get the list of enctypes and use that to calculate the list of client supported
enctypes when talking to the KDC, this to make sure that KDC doesn't send
pw-challanges to the client for enctypes that the client software support
but there is no entry in the keytab.
2009-08-30 13:25:38 -07:00
3e16d622c5
fix ecdsa endif
2009-08-28 15:18:50 -07:00
e9603a6446
Only try ecdsa if there really is ecdsa support
2009-08-26 00:30:36 -07:00
63f88493d8
add malloc options
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@25085 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-04-04 17:09:12 +00:00
d93ac20298
kill -9 to make store its dead
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24993 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-03-29 09:03:47 +00:00
793c93cbe4
Check that we use ECDH when we have a ECDSA cert
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24705 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-14 20:14:16 +00:00
4e386a34cc
Test ECDSA (and thus ECDH).
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24703 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-14 20:13:57 +00:00
bf84d12699
test password expiration warning and new gic interface
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24645 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-07 15:11:52 +00:00
4b3c2d35c6
drop unused $type
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24632 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-07 04:05:42 +00:00
5106f5f173
test weak enctypes too
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24610 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-04 22:09:31 +00:00
7f67735b69
make --anonymous only take realm.
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24609 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-04 22:09:21 +00:00
8ddf4c65de
kdestroy after test
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24599 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-04 22:07:42 +00:00
df1d6c9e6c
test anonymous
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24597 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-02-04 22:07:22 +00:00
2c14f1fe08
ap-req
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24555 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-01-30 16:50:06 +00:00
29d8d0d9bd
check ip based name and alias to ditto
...
git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@24533 ec53bebd-3082-4978-b11e-865c3cabbd6b
2009-01-27 22:52:45 +00:00
Isaac Boukris