Skip Menu |
 

From: ghudson@mit.edu
Subject: git commit

Expand S4U2Self exception in KDC lineage check

An S4U2Self TGS-REQ using only a certificate to identify the user will
not include PA-FOR-USER, so we need to check both types when making an
exception in the lineage check. (S4U2Self requests are allowed to
bypass the lineage check because cross-realm S4U2Self ends with a
backwards cross-realm request to the server realm.)

[ghudson@mit.edu: factored out padata check; deindented the code block
by combining conditionals; rewrote commit message]

https://github.com/krb5/krb5/commit/26c3818737cf16d476043a4acec8afb0fa67e47f
Author: Isaac Boukris <iboukris@gmail.com>
Committer: Greg Hudson <ghudson@mit.edu>
Commit: 26c3818737cf16d476043a4acec8afb0fa67e47f
Branch: master
src/kdc/kdc_util.c | 27 +++++++++++++++++----------
1 files changed, 17 insertions(+), 10 deletions(-)