Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add two new KDB methods to support resource-based constrained delegation. The get_authdata_info method extracts the client principal for the authdata (necessary for cross-realm RBCD requests as the evidence ticket is a cross-realm TGT with the client's authdata), and also returns an opaque pointer for consumption by other KDB methods. The allowed_to_delegate_from method performs a constrained delegation policy check on the principal entry of the target principal. Add the server principal and abstract authdata representation to the sign_authdata method. (XXX the DAL major version and KDB API version need to be bumped; this will be handled in the merge with PR krb5#965.) Add core KDC code for RBCD requests. For local RBCD requests (impersonator and target in the same realm), KDC handling is similar to existing constrained delegation support. The evidence ticket is not required to be forwardable, and allowed_to_delegate_from is used in preference to check_allowed_to_delegate. For cross-realm RBCD requests, the KDC could be in the impersonator realm, the target realm, or in a transit realm between the two. In the transit realm case, the request looks like a regular cross-realm request for a krbtgt service except for the information in the PAC, so this case is handled by the KDB module sign_authdata() method. [ghudson@mit.edu: made style and documentation edits, and edited commit message]
- Loading branch information
1 parent
12d8fcb
commit 97be191
Showing
9 changed files
with
367 additions
and
47 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.