freeipa

Clone
Source Code
GIT

e21505d ipa-kdb: Verify the correct checksum in PAC validation

Authored and Committed by simo 12 years ago
raw patch tree parent
1 file changed. 45 lines added. 5 lines removed.
daemons/ipa-kdb/ipa_kdb_mspac.c
file modified
+45 -5 
    ipa-kdb: Verify the correct checksum in PAC validation
    
    This patch requires a forthcoming change in MIT libraries which allows to pass
    NULL for the server_key to the krb5_pac_verify() function.
    
    In most cases we should always only check the KDC checksum to verify the PAC
    validity.
    
    The only exception is when we are releasing a ticket to a client from another
    realm. In this case the only signature we can check is the server checksum, and
    we use the cross-realm key to validate in this case.
    
    The previous code was working for normal cases because the kdc uses the same
    key to create the server and the kdc checksum for a TGT, but that is not true
    for evidence tickets (s4u2proxy) or cross-realm TGTs.
    
    Fixes: https://fedorahosted.org/freeipa/ticket/2169
file modified
+45 -5
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.