oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
a684e001ba77132cd5197602118da64245c4e77e
heimdal/lib/gssapi
History
Nicolas Williams a684e001ba gsskrb5: Check dst-TGT pokicy at store time 
Our initiator supports configuration-driven delegation of destination
TGTs.

This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.

Currently we use the same appdefault for this.

Background:

    A root TGT is one of the form krbtgt/REALM@SAME-REALM.

    A destination TGT is a root TGT for the same realm as the acceptor
    service's realm.

    Normally clients delegate a root TGT for the client's realm.

    In some deployments clients may want to delegate destination TGTs as
    a form of constrained delegation: so that the destination service
    cannot use the delegated credential to impersonate the client
    principal to services in its home realm (due to KDC lineage/transit
    checks).  In those deployments there may not even be a route back to
    the KDCs of the client's realm, and attempting to use a
    non-destination TGT might even lead to timeouts.
2020-07-09 13:27:11 -05:00
..
gssapi
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
krb5
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
mech
Avoid -Werror=address failure due to embedded NULL check in _mg_buffer_zero
2020-05-27 23:23:43 -05:00
netlogon
Properly implement neg_mechs & GM_USE_MG_CRED
2020-04-21 00:21:32 -05:00
ntlm
Properly implement neg_mechs & GM_USE_MG_CRED
2020-04-21 00:21:32 -05:00
sanon
gss: unconditionally set certain flags in SAnon ISC
2020-04-28 07:38:31 +10:00
spnego
gss: don't use mechglue private header in SPNEGO
2020-04-27 15:10:29 +10:00
ChangeLog
switch to utf8 encoding of all files
2008-09-13 08:53:55 +00:00
gen-oid.pl
gss: intern OIDs (#447)
2018-12-18 23:28:38 -06:00
gss_acquire_cred.3
Fix assorted typos
2018-12-14 17:30:14 -05:00
gss-commands.in
use sl_did_you_mean
2011-11-22 12:18:48 -08:00
gss-token.1
gssapi: Import elric1's gss-token
2019-11-19 23:00:41 -06:00
gss-token.c
bx509: CSRF protection for /bnegotiate
2019-12-09 20:13:33 -06:00
gssapi_mech.h
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
gssapi.3
remove trailing whitespace
2011-05-21 11:57:31 -07:00
gssapi.h
remove trailing whitespace
2008-09-13 09:21:03 +00:00
gsstool.c
use sl_did_you_mean
2011-11-22 12:18:48 -08:00
libgssapi-exports.def
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
libgssapi-version.rc
Windows: Rename libgssapi.dll -> gssapi.dll
2010-08-20 13:14:15 -04:00
Makefile.am
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
NTMakefile
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
oid.txt
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
test_acquire_cred.c
gss: Fix some test leaks
2020-04-25 21:22:32 -05:00
test_add_store_cred.c
krb5: Improve cccol sub naming; add gss_store_cred_into2()
2020-03-02 17:48:04 -06:00
test_common.c
More fixes for -Werror (GCC 4.6 catches more stuff)
2011-11-02 23:20:55 -05:00
test_common.h
remove trailing whitespace
2008-09-13 09:21:03 +00:00
test_context.c
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
test_cred.c
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
test_kcred.c
Add note about racy tests
2019-10-03 13:09:18 -05:00
test_names.c
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00
test_negoex_mech.c
gss: plug leak in test_negoex_mech
2020-03-02 17:16:58 +11:00
test_ntlm.c
Round #2 of scan-build warnings cleanup
2016-11-16 17:03:14 -06:00
test_oid.c
Include <roken.h> before <gssapi.h>
2010-12-01 17:54:29 -05:00
version-script.map
gss: SAnon - the Simple Anonymous GSS-API mechanism
2020-04-25 23:19:30 -05:00