freeipa

Clone
Source Code
GIT

630cda5 kdb: Use krb5_pac_full_sign_compat() when available

2 files Authored by jrische 2 years ago, Committed by frenaud 2 years ago,
raw patch tree parent
2 files changed. 19 lines added. 0 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac_v6.c
file modified
+10 -0
server.m4
file modified
+9 -0 
    kdb: Use krb5_pac_full_sign_compat() when available
    
    In November 2022, Microsoft introduced a new PAC signature type called
    "extended KDC signature" (or "full PAC checksum"). This new PAC
    signature will be required by default by Active Directory in July 2023
    for S4U requests, and opt-out will no longer be possible after October
    2023.
    
    Support for this new signature type was added to MIT krb5, but it relies
    on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions,
    the code generating extended KDC signatures cannot be backported as it
    is without backporting the full new KDB API code too. This would have
    too much impact to be done.
    
    As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL
    8 will include a downstream-only update adding the
    krb5_pac_full_sign_compat() function, which can be used in combination
    with the prior to 1.20 KDB API to generate PAC extended KDC signatures.
    
    Fixes: https://pagure.io/freeipa/issue/9373
    Signed-off-by: Julien Rische <jrische@redhat.com>
    Reviewed-By: Rob Crittenden <rcritten@redhat.com>
    Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
file modified
+10 -0
file modified
+9 -0
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.