Ticket History #6870: Don't reject AP-REQs based on PACs

# Wed Feb 16 18:34:38 2011 ghudson@mit.edu (Greg Hudson) - Ticket created

From:	ghudson@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 700B

Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket. We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket. If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.

https://github.com/krb5/krb5/commit/76ebe5d07c1002b674eb1c4e3ab35f6001eec91c
Commit By: ghudson
Revision: 24640
Changed Files:
U trunk/src/include/k5-trace.h
U trunk/src/lib/krb5/krb/pac.c

# Wed Feb 16 18:34:38 2011 ghudson@mit.edu (Greg Hudson) - Requestor ghudson@mit.edu (Greg Hudson) added

# Wed Feb 16 18:34:38 2011 ghudson@mit.edu (Greg Hudson) - Status changed from 'new' to 'review'

# Wed Feb 16 18:34:38 2011 ghudson@mit.edu (Greg Hudson) - Tags pullup added

# Wed Feb 16 18:34:38 2011 ghudson@mit.edu (Greg Hudson) - Target_Version 1.9.1 added

# Tue Feb 22 17:17:27 2011 tlyu (Taylor Yu) - Status changed from 'review' to 'resolved'

# Tue Feb 22 17:17:27 2011 tlyu (Taylor Yu) - Version_Fixed 1.9.1 added

# Tue Feb 22 17:17:27 2011 tlyu (Taylor Yu) - Correspondence added

From:	tlyu@mit.edu
Subject:	SVN Commit

Download (untitled) / with headers
text/plain 1003B

pull up r24640 from trunk

------------------------------------------------------------------------
r24640 | ghudson | 2011-02-16 18:34:37 -0500 (Wed, 16 Feb 2011) | 14 lines

ticket: 6870
subject: Don't reject AP-REQs based on PACs
target_version: 1.9.1
tags: pullup

Experience has shown that it was a mistake to fail AP-REQ verification
based on failure to verify the signature of PAC authdata contained in
the ticket. We've had two rounds of interoperability issues with the
hmac-md5 checksum code, an interoperability issue OSX generating
unsigned PACs, and another problem where PACs are copied by older KDCs
from a cross-realm TGT into the service ticket. If a PAC signature
cannot be verified, just don't mark it as verified and continue on
with the AP exchange.

https://github.com/krb5/krb5/commit/028125b8c2ba963cb28710de68706b2bb14c6c3b
Commit By: tlyu
Revision: 24647
Changed Files:
U branches/krb5-1-9/src/include/k5-trace.h
U branches/krb5-1-9/src/lib/krb5/krb/pac.c

# Wed Feb 23 14:03:29 2011 tlyu (Taylor Yu) - Ticket 6870 RefersTo ticket 6839.

# Wed Dec 16 18:02:56 2015 tlyu (Taylor Yu) - CustomField pullup deleted