oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity
Files
a684e001ba77132cd5197602118da64245c4e77e
heimdal/lib/gssapi/krb5
History
Nicolas Williams a684e001ba gsskrb5: Check dst-TGT pokicy at store time 
Our initiator supports configuration-driven delegation of destination
TGTs.

This commit adds acceptor-side handling of destination TGT policy to
reject storing of non-destination TGTs when destination TGTs are
desired.

Currently we use the same appdefault for this.

Background:

    A root TGT is one of the form krbtgt/REALM@SAME-REALM.

    A destination TGT is a root TGT for the same realm as the acceptor
    service's realm.

    Normally clients delegate a root TGT for the client's realm.

    In some deployments clients may want to delegate destination TGTs as
    a form of constrained delegation: so that the destination service
    cannot use the delegated credential to impersonate the client
    principal to services in its home realm (due to KDC lineage/transit
    checks).  In those deployments there may not even be a route back to
    the KDCs of the client's realm, and attempting to use a
    non-destination TGT might even lead to timeouts.
2020-07-09 13:27:11 -05:00
..
8003.c
Round #2 of scan-build warnings cleanup
2016-11-16 17:03:14 -06:00
accept_sec_context.c
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
acquire_cred.c
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
add_cred.c
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
address_to_krb5addr.c
flatten include headers
2009-01-25 00:35:00 +00:00
aeap.c
lib/gssapi/krb5: implement gss_[un]wrap_iov[_length] with arcfour-hmac-md5
2015-07-31 17:30:23 +12:00
arcfour.c
use memset_s
2017-04-29 01:05:59 -04:00
authorize_localname.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
canonicalize_name.c
Revamp name canonicalization code
2015-03-24 11:49:58 -05:00
ccache_name.c
Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types.
2009-06-22 17:56:41 +00:00
cfx.c
Round #2 of scan-build warnings cleanup
2016-11-16 17:03:14 -06:00
cfx.h
Switch from using a specific error message context in the TLS to have
2006-11-13 18:02:57 +00:00
compare_name.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
compat.c
remove trailing whitespace
2011-05-21 11:57:31 -07:00
context_time.c
Round #2 of scan-build warnings cleanup
2016-11-16 17:03:14 -06:00
copy_ccache.c
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
creds.c
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
decapsulate.c
lib/gssapi/krb5: make _gssapi_verify_pad() more robust
2015-07-31 17:30:23 +12:00
delete_sec_context.c
gssapi/krb5: delete_sec_context must close ccache if CLOSE_CCACHE
2020-06-29 11:40:48 -04:00
display_name.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
display_status.c
krb5: Fix display_status() incorrect major status
2020-04-25 23:19:30 -05:00
duplicate_cred.c
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
duplicate_name.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
encapsulate.c
move _gssapi_make_mech_header to avoid need to prototype
2018-04-19 13:12:59 -04:00
export_name.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
export_sec_context.c
gss: allow source/target to be null on export/import
2020-04-16 15:20:10 +10:00
external.c
Properly implement neg_mechs & GM_USE_MG_CRED
2020-04-21 00:21:32 -05:00
get_mic.c
use memset_s
2017-04-29 01:05:59 -04:00
gkrb5_err.et
gssapi: credential store extensions (#451)
2019-01-03 14:38:39 -06:00
gsskrb5_locl.h
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
import_name.c
princ type NT-UNKNOWN + "host" == NT-SRV-HST
2016-11-14 21:29:47 -06:00
import_sec_context.c
gss: allow source/target to be null on export/import
2020-04-16 15:20:10 +10:00
indicate_mechs.c
Fix calling conventions for Windows
2010-08-20 13:14:10 -04:00
init_sec_context.c
Add enforce_ok_as_delegate setting
2019-11-20 18:18:57 -05:00
init.c
gss: register GSS_KRB5_S error table
2020-02-04 17:28:35 +11:00
inquire_context.c
Rename context handle lifetime to endtime
2015-04-14 11:27:25 -05:00
inquire_cred_by_mech.c
Fix gss_inquire_cred_by_mech.
2015-03-10 03:07:29 +00:00
inquire_cred_by_oid.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
inquire_cred.c
gssapi: credential store extensions (#451)
2019-01-03 14:38:39 -06:00
inquire_mechs_for_name.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
inquire_names_for_mech.c
remove trailing whitespace
2011-05-21 11:57:31 -07:00
inquire_sec_context_by_oid.c
gss: fix downlevel Windows interop regression
2020-04-13 10:26:38 +10:00
pname_to_uid.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
prf.c
Fix krb5's gss_pseudo_random() (n is big-endian)
2013-10-30 14:26:15 -05:00
process_context_token.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00
release_buffer.c
Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types.
2009-06-22 17:56:41 +00:00
release_cred.c
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
release_name.c
Fix calling conventions for Windows
2010-08-20 13:14:10 -04:00
sequence.c
remove trailing whitespace
2011-05-21 11:57:31 -07:00
set_cred_option.c
krb5: Improve cccol sub naming; add gss_store_cred_into2()
2020-03-02 17:48:04 -06:00
set_sec_context_option.c
gss: GSS_KRB5_IMPORT_RFC4121_CONTEXT_X / _gss_mg_import_rfc4121_context()
2020-04-17 11:04:33 +10:00
store_cred.c
gsskrb5: Check dst-TGT pokicy at store time
2020-07-09 13:27:11 -05:00
test_acquire_cred.c
Rewrite gss_add_cred() (fix #413)
2018-12-28 19:26:25 -06:00
test_cfx.c
switch to KRB5_ENCTYPE
2011-07-24 16:02:22 -07:00
test_cred.c
Rewrite gss_add_cred() (fix #413)
2018-12-28 19:26:25 -06:00
test_kcred.c
Add note about racy tests
2019-10-03 13:09:18 -05:00
test_oid.c
Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types.
2009-06-22 17:56:41 +00:00
test_sequence.c
Minor typo/grammar fixes
2017-03-10 15:47:43 -05:00
ticket_flags.c
Implement gss_wrap_iov, gss_unwrap_iov for CFX type encryption types.
2009-06-22 17:56:41 +00:00
unwrap.c
GSS unwrap: wipe copy of DES key when done with it
2018-12-14 06:18:26 -05:00
verify_mic.c
use memset_s
2017-04-29 01:05:59 -04:00
wrap.c
First attempt s/\<const gss_.*_t/gss_const_.*_t/g
2013-06-02 15:30:58 -05:00