[16381] in Kerberos-V5-bugs
[krbdev.mit.edu #8843] git commit
daemon@ATHENA.MIT.EDU (Greg Hudson via RT)
Sun Nov 3 13:57:04 2019
From: "Greg Hudson via RT" <rt-comment@KRBDEV-PROD-APP-1.mit.edu>
In-Reply-To:
Message-ID: <rt-4.4.4-124992-1572807406-323.8843-4-0@mit.edu>
To: "AdminCc of krbdev.mit.edu Ticket #8843":;
Date: Sun, 03 Nov 2019 13:56:46 -0500
MIME-Version: 1.0
Reply-To: rt-comment@KRBDEV-PROD-APP-1.mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krb5-bugs-bounces@mit.edu
Sun Nov 03 13:56:46 2019: Request 8843 was acted upon.
Transaction: Ticket created by ghudson@mit.edu
Queue: krb5
Subject: git commit
Owner: ghudson@mit.edu
Requestors:
Status: new
Ticket <URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8843 >
Allow client canonicalization in non-krbtgt AS-REP
If a caller makes an AS-REQ with the canonicalize flag set (or with an
enterprise client principal or the anonymous flag), always allow the
KDC to change the client principal. Continue to restrict server name
changes to requests for TGS principals.
Also remove the conditional for setting canon_ok for fully anonymous
requests. Both kinds of anonymous requests change the client
principal or realm, but neither kind changes the server principal or
realm, so this logic is no longer needed now that canon_ok only
applies to server name changes.
[ghudson@mit.edu: clarified commit message; removed anonymous PKINIT
clause]
https://github.com/krb5/krb5/commit/c6c19b1d35c6523cb7ed220c1f2e97e12e039293
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: c6c19b1d35c6523cb7ed220c1f2e97e12e039293
Branch: master
src/lib/krb5/krb/get_in_tkt.c | 9 ++-------
src/tests/t_kdb.py | 3 +++
2 files changed, 5 insertions(+), 7 deletions(-)
_______________________________________________
krb5-bugs mailing list
krb5-bugs@mit.edu
https://mailman.mit.edu/mailman/listinfo/krb5-bugs
