[11908] in Kerberos-V5-bugs

home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[krbdev.mit.edu #6870] SVN Commit

daemon@ATHENA.MIT.EDU (Tom Yu via RT)
Tue Feb 22 17:17:29 2011

Mail-followup-to: rt@krbdev.mit.edu
mail-copies-to: never
From: "Tom Yu via RT" <rt-comment@krbdev.MIT.EDU>
In-Reply-To: <rt-6870@krbdev.mit.edu>
Message-ID: <rt-6870-33833.1.39216571191604@krbdev.mit.edu>
To: "'AdminCc of krbdev.mit.edu Ticket #6870'":;"'AdminCc of krbdev.mit.edu Ticket #6870'":;@MIT.EDU
Date: Tue, 22 Feb 2011 17:17:27 -0500 (EST)
Reply-To: rt-comment@krbdev.MIT.EDU
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu


pull up r24640 from trunk

 ------------------------------------------------------------------------
 r24640 | ghudson | 2011-02-16 18:34:37 -0500 (Wed, 16 Feb 2011) | 14 lines

 ticket: 6870
 subject: Don't reject AP-REQs based on PACs
 target_version: 1.9.1
 tags: pullup

 Experience has shown that it was a mistake to fail AP-REQ verification
 based on failure to verify the signature of PAC authdata contained in
 the ticket.  We've had two rounds of interoperability issues with the
 hmac-md5 checksum code, an interoperability issue OSX generating
 unsigned PACs, and another problem where PACs are copied by older KDCs
 from a cross-realm TGT into the service ticket.  If a PAC signature
 cannot be verified, just don't mark it as verified and continue on
 with the AP exchange.

http://src.mit.edu/fisheye/changelog/krb5/?cs=24647
Commit By: tlyu
Revision: 24647
Changed Files:
U   branches/krb5-1-9/src/include/k5-trace.h
U   branches/krb5-1-9/src/lib/krb5/krb/pac.c

_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs

home	help	back	first	fref	pref	prev	next	nref	lref	last	post