Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add canonical client principal to PAC #902

Merged
merged 7 commits into from Dec 21, 2021
Merged

Add canonical client principal to PAC #902

merged 7 commits into from Dec 21, 2021

Commits on Dec 20, 2021

  1. krb5: zero memory in krb5_storage_emem()

    @lhoward
    lhoward committed Dec 20, 2021
    Configuration menu
    Copy the full SHA
    3666c6e View commit details
    Browse the repository at this point in the history

Commits on Dec 21, 2021

  1. roken: add rk_clzll() helper function

    @lhoward
    lhoward committed Dec 21, 2021
    Configuration menu
    Copy the full SHA
    6935c17 View commit details
    Browse the repository at this point in the history

  2. krb5: support for canonical name in PAC 

    If the UPN_DNS_INFO buffer in the Windows PAC contains a canonical principal
name, use it in lieu of the ticket client name to determine the GSS-API
initiator name.
    @lhoward
    lhoward committed Dec 21, 2021
    Configuration menu
    Copy the full SHA
    81fc1ef View commit details
    Browse the repository at this point in the history

  3. kdc: add canonical principal name to authz data 

    Use the UPN_DNS_INFO buffer of the PAC to include the canonical principal name.

Arguably we should use AD-LOGIN-ALIAS as defined in RFC6806, but we may not
always know all the principal's aliases, and this approach allows us to share
application service logic with Windows.
    @lhoward
    lhoward committed Dec 21, 2021
    Configuration menu
    Copy the full SHA
    87e79be View commit details
    Browse the repository at this point in the history

  4. kdc: support for PAC_ATTRIBUTES_INFO 

    Add PAC_ATTRIBUTES_INFO to the PAC. This info buffer indicates whether the user
explicitly requested a PAC be present or absent.

Note: this changes the windc plugin ABI.
    @lhoward
    lhoward committed Dec 21, 2021
    Configuration menu
    Copy the full SHA
    05cf7d9 View commit details
    Browse the repository at this point in the history

  5. kdc: add PA PAC finalize callback 

    Note the selected pre-authentication mechanism, and add a callback to allow the
pre-authentication mechanism to update the PAC immediately prior to signing.
    @lhoward
    lhoward committed Dec 21, 2021
    Configuration menu
    Copy the full SHA
    0b161c0 View commit details
    Browse the repository at this point in the history

  6. kdc: include SID in PAC with GSS authorizer 

    Update the sample GSS pre-authentication authorizer plugin to allow the PAC to
be pinned to the authenticating user's SID.

There is still a race condition between the time the user authenticates and the
time the SID is looked up via LDAP, but it should be sufficient as an example;
if more security is required, then users should be enrolled with their SIDs.
    @lhoward
    lhoward committed Dec 21, 2021
    Configuration menu
    Copy the full SHA
    88d4c27 View commit details
    Browse the repository at this point in the history