freeipa/daemons
Simo Sorce 417b9fb9c1 ipa-kdb: Verify the correct checksum in PAC validation
This patch requires a forthcoming change in MIT libraries which allows to pass
NULL for the server_key to the krb5_pac_verify() function.

In most cases we should always only check the KDC checksum to verify the PAC
validity.

The only exception is when we are releasing a ticket to a client from another
realm. In this case the only signature we can check is the server checksum, and
we use the cross-realm key to validate in this case.

The previous code was working for normal cases because the kdc uses the same
key to create the server and the kdc checksum for a TGT, but that is not true
for evidence tickets (s4u2proxy) or cross-realm TGTs.

Fixes: https://fedorahosted.org/freeipa/ticket/2169
2012-01-11 17:34:15 -05:00
..
ipa-kdb ipa-kdb: Verify the correct checksum in PAC validation 2012-01-11 17:34:15 -05:00
ipa-sam Add a second module init call for newer samba versions 2011-12-09 15:57:49 -05:00
ipa-slapi-plugins ipa-cldap: Support clients asking for default domain 2012-01-05 09:38:04 -05:00
configure.ac Add ipasam samba passdb backend 2011-12-06 08:29:53 -05:00
ipa-version.h.in Fix typos 2011-09-07 13:20:42 +02:00
Makefile.am Add ipasam samba passdb backend 2011-12-06 08:29:53 -05:00