Skip Menu |

Subject: git commit
Download (untitled) / with headers
text/plain 1.2KiB

Fix authdata signatures for non-TGT AS-REQs

PACs (as well as anything wrapped in CAMMAC) should be signed using
the local TGT key. Cross-realm TGS requests, ticket renewal and
validation requests, and non-TGT AS requests currently do not pass the
local TGT DB entry or its key to sign_authdata(), forcing the KDB
module to do a redundant lookup in order to properly sign PACs.

Rename the existing krbtgt and krbtgt_key parameters to header_server
and header_key, to better indicate that they are for the header ticket
server. For AS requests, pass NULL for these parameters instead of
passing a duplicate of server/server_key.

Add local_tgt and local_tgt_key parameters for the realm's local TGT
and its first key.

[ rewrote commit message]
Author: Isaac Boukris <>
Committer: Greg Hudson <>
Commit: 15349afaaedcf1113382a92bd3a34b7cedd0129f
Branch: master
src/include/kdb.h | 30 ++++++++++++++++++------------
src/kdc/kdc_authdata.c | 27 +++++++++------------------
src/lib/kdb/kdb5.c | 14 ++++++++------
src/plugins/kdb/test/kdb_test.c | 7 ++++---
4 files changed, 39 insertions(+), 39 deletions(-)