[11709] in Kerberos-V5-bugs
[krbdev.mit.edu #6786] SVN Commit
daemon@ATHENA.MIT.EDU (Sam Hartman via RT)
Mon Sep 27 13:16:46 2010
Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Sam Hartman via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6786@krbdev.mit.edu>
Message-ID: <rt-6786-33184.2.34232690261955@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6786'":;"'AdminCc of krbdev.mit.edu Ticket #6786'":;@MIT.EDU
Date: Mon, 27 Sep 2010 13:16:42 -0400 (EDT)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
If a credentials cache is available, use it as an armor cache to enable FAST negotiation for kpasswd. This requires an attacker to attack both the user's long-term key for the old password as well as the ticket used for the armor cache in order to attack the password change. Depending on how the armor ticket is obtained, this may provide limited value. However, it provides users an easy option if they are concerned about their current password. Users can kinit with one principal to help protect changing the password of another principal.
* krb5_get_init_creds_opt_set_fast_ccache: new API to set fast ccache based on a krb5_ccache object rather than a resolvable string
* kpasswd: always open the current credential cache even if not needed
for determining the principal. If the cache has tickets, use it as
an armor cache.
* tests/dejagnu/krb-standalone/kadmin.exp: Arrange to test new code path
http://src.mit.edu/fisheye/changelog/krb5/?cs=24359
Commit By: hartmans
Revision: 24359
Changed Files:
U trunk/src/clients/kpasswd/kpasswd.c
U trunk/src/include/krb5/krb5.hin
U trunk/src/lib/krb5/krb/gic_opt.c
U trunk/src/lib/krb5/libkrb5.exports
U trunk/src/tests/dejagnu/krb-standalone/kadmin.exp
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
