git.samba.org - lorikeet-heimdal.git/commit

author	Viktor Dukhovni <viktor@twosigma.com>
	Mon, 15 Jul 2019 03:02:57 +0000 (23:02 -0400)
committer	Viktor Dukhovni <viktor1ghub@dukhovni.org>
	Wed, 4 Sep 2019 22:00:15 +0000 (18:00 -0400)
commit	fae8df383961a4843a832ec7bf49443be5518202
tree	696d85a3323d3800c4684a8d247ec4750caf6a57	tree
parent	f40d393c83ef3ca4d05feeb0fbda3ef86b38eb75	commit \| diff

Optional backwards-compatible anon-pkinit behaviour

* Anonymous pkinit responses from the KDC where the name
  type is not well-known (as issued by 7.5 KDCs and earlier)
  are accepted by the client.  There is no need for the client
  to strictly enforce the name type.

* With historical_anon_pkinit = true, the kinit(1) client's
  "--anonymous" option only performs anon pkinit, and does
  not require an '@' prefix for the realm argument.

* With historical_anon_realm = true, the KDC issues anon
  pkinit tickets with the legacy pre-7.0 "real" realm.

kdc/default_config.c		diff \| blob \| history
kdc/kdc.8		diff \| blob \| history
kdc/kdc.h		diff \| blob \| history
kdc/kerberos5.c		diff \| blob \| history
kdc/pkinit.c		diff \| blob \| history
kuser/kinit.1		diff \| blob \| history
kuser/kinit.c		diff \| blob \| history
lib/krb5/krb5.conf.5		diff \| blob \| history
lib/krb5/krb5.h		diff \| blob \| history
lib/krb5/principal.c		diff \| blob \| history
lib/krb5/ticket.c		diff \| blob \| history