heimdal/kdc at 87348cf27ae71a130c3f1a86ac52dec7bb5bb885 - heimdal - PVV Git

oysteikt/heimdal

Files

History

Joseph Sutton 87348cf27a kdc: Verify PAC in TGT provided for user-to-user authentication

Assists Samba to address CVE-2020-25719

It is critical to ensure that the name in the U2U TGT is still associated with
the account was issued to, so we must check the PAC to verify the SID.

Otherwise the SPN check via the S4U2Self hook might be mislead.

Samba BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

(Similar to Samba commit 49a13f0fc942d1cfb767d5b6bf49d62241d52046)

2021-12-16 16:09:07 +11:00

..

altsecid_gss_preauth_authorizer.c

kdc: correct logic error in altsecid_gss_preauth_authorizer

2021-08-31 11:06:32 +00:00

announce.c

cast to avoid size_t vs int issue

2011-07-24 13:07:07 -07:00

bx509d.8

bx509: Add addresses q-param for /get-tgt

2021-04-14 19:28:08 -05:00

bx509d.c

Always perform == or != operation on cmp function result

2021-11-24 22:30:44 -05:00

ca.c

bx509d: Allow requesting longer cert lifetimes

2021-03-07 22:20:06 -06:00

cjwt_token_validator.c

Move some infra bits of lib/krb5/ to lib/base/ (2)

2020-03-02 10:56:13 -06:00

config.c

roken_detach_prep() should return fd

2019-10-03 13:09:18 -05:00

connect.c

kdc: enable keepalive mode on incoming sockets

2020-07-24 01:32:34 -04:00

csr_authorizer_plugin.h

kdc: Get KDC config out of CSR authorizer API

2020-09-08 00:25:24 -05:00

csr_authorizer.c

kdc: Get KDC config out of CSR authorizer API

2020-09-08 00:25:24 -05:00

default_config.c

kdc: Optionally require that PAC be be present

2021-12-16 14:41:10 +11:00

digest-service.c

Use UTF-8 in KTH copyright notice

2021-11-29 12:50:26 +11:00

digest.c

kdc: map KRB5_PROG_SUMTYPE_NOSUPP to KRB5KDC_ERR_SUMTYPE_NOSUPP

2021-09-21 18:17:00 +10:00

fast.c

kdc: fix regression when validating armor client

2021-12-16 16:05:07 +11:00

gss_preauth_authorizer_plugin.h

kdc: support for GSS-API pre-authentication

2021-08-12 17:37:01 +10:00

gss_preauth.c

kdc: map KRB5_PROG_SUMTYPE_NOSUPP to KRB5KDC_ERR_SUMTYPE_NOSUPP

2021-09-21 18:17:00 +10:00

headers.h

kdc: support for GSS-API pre-authentication

2021-08-12 17:37:01 +10:00

hprop-version.rc

Windows: Version information for binaries

2010-08-20 13:06:54 -04:00

hprop.8

Fixes #550 - Note that encrypt is the default option

2019-05-30 20:10:25 -04:00

hprop.c

add HDBGET: that only supports get, iteration doesnt really make sense for the HDB keytab except when dumping

2013-10-15 12:40:39 +02:00

hprop.h

add HDBGET: that only supports get, iteration doesnt really make sense for the HDB keytab except when dumping

2013-10-15 12:40:39 +02:00

hpropd-version.rc

Windows: Version information for binaries

2010-08-20 13:06:54 -04:00

hpropd.8

remove trailing whitespace

2011-05-21 11:57:31 -07:00

hpropd.c

hpropd: enable keepalive mode on incoming sockets

2020-07-24 01:32:34 -04:00

httpkadmind.8

httpkadmind: Allow host SPNs to fetch selves

2021-06-29 14:52:07 -05:00

httpkadmind.c

kadm5: Use KADM5_PASS_Q_GENERIC

2021-12-16 10:40:01 +11:00

ipc_csr_authorizer.c

kdc: Get KDC config out of CSR authorizer API

2020-09-08 00:25:24 -05:00

kdc_locl.h

kdc: update PAC hooks for Samba

2021-12-14 13:51:53 +11:00

kdc-replay.c

Turn on -Wextra -Wno-sign-compare -Wno-unused-paramter and fix issues.

2012-02-20 19:45:41 +00:00

kdc-tester.c

kdc: sync KDC FAST with Heimdal-597.121.1

2021-12-14 09:03:42 +11:00

kdc-version.rc

Windows: Version information for binaries

2010-08-20 13:06:54 -04:00

kdc.8

Optional backwards-compatible anon-pkinit behaviour

2019-09-04 18:00:15 -04:00

kdc.h

kdc: Optionally require that PAC be be present

2021-12-16 14:41:10 +11:00

kerberos5.c

kdc: Don't advertise padata types that will not be accepted

2021-12-16 10:49:15 +11:00

krb5tgs.c

kdc: Verify PAC in TGT provided for user-to-user authentication

2021-12-16 16:09:07 +11:00

kstash-version.rc

Windows: Version information for binaries

2010-08-20 13:06:54 -04:00

kstash.8

remove trailing whitespace

2011-05-21 11:57:31 -07:00

kstash.c

libhcrypto: UI_UTIL_FLAG_VERIFY_SILENT

2018-12-30 15:39:49 -06:00

kx509.c

bx509d: Allow requesting longer cert lifetimes

2021-03-07 22:20:06 -06:00

libkdc-exports.def

kdc: Modernize kx509 logging too

2019-12-11 19:34:36 -06:00

libkdc-version.rc

Windows: Version information for binaries

2010-08-20 13:06:54 -04:00

log.c

Declare kdc log functions to be printf-like

2019-07-09 13:17:06 -05:00

main.c

kdc: Fix leaks

2019-12-09 21:39:30 -06:00

Makefile.am

kdc: add sample GSS preauth authorization plugin

2021-08-31 11:00:13 +00:00

misc.c

kdc: move _kdc_verify_checksum() to misc.c

2021-09-23 17:41:43 +10:00

mit_dump.c

Always perform == or != operation on cmp function result

2021-11-24 22:30:44 -05:00

negotiate_token_validator.c

kdc: support for GSS-API pre-authentication

2021-08-12 17:37:01 +10:00

NTMakefile

gss: move GSS pre-auth helpers to convenience lib

2021-08-27 15:20:07 +10:00

pkinit-ec.c

fixup pkinit-ec.c (kdc and lib/krb5) includes

2016-04-17 17:10:08 -05:00

pkinit.c

kdc: remove temporary krb5_context variable

2021-12-14 09:03:42 +11:00

process.c

Always perform == or != operation on cmp function result

2021-11-24 22:30:44 -05:00

rx.h

remove trailing whitespace

2008-09-13 09:21:03 +00:00

set_dbinfo.c

Define log levels in docs and change default to 0-3.

2019-10-21 13:43:01 +01:00

simple_csr_authorizer.c

bx509: Let simple authorizer use the app name

2020-09-08 00:25:24 -05:00

string2key-version.rc

Windows: Version information for binaries

2010-08-20 13:06:54 -04:00

string2key.8

remove trailing whitespace

2011-05-21 11:57:31 -07:00

string2key.c

catch error value from krb5_ functions and exit

2013-06-28 08:40:49 +02:00

test_csr_authorizer.c

hx509/kdc: Move KDC CA utility function into hx509

2020-09-08 00:25:24 -05:00

test_kdc_ca.c

bx509d: Allow requesting longer cert lifetimes

2021-03-07 22:20:06 -06:00

test_token_validator.c

hx509/kdc: Move KDC CA utility function into hx509

2020-09-08 00:25:24 -05:00

token_validator_plugin.h

Add bx509d

2019-12-04 21:34:44 -06:00

token_validator.c

Move some infra bits of lib/krb5/ to lib/base/ (2)

2020-03-02 10:56:13 -06:00

version-script.map

kdc: Modernize kx509 logging too

2019-12-11 19:34:36 -06:00

windc_plugin.h

kdc: update PAC hooks for Samba

2021-12-14 13:51:53 +11:00

windc.c

kdc: update PAC hooks for Samba

2021-12-14 13:51:53 +11:00