The Samba-Bugzilla – Attachment 18126 Details for
Bug 15045
[SECURITY] UF_SMARTCARD_REQUIRED not consistently honoured
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for Heimdal
bug-15045-heimdal.patch (text/plain), 2.02 KB, created by
Jennifer Sutton
on 2023-09-26 03:04:07 UTC
(
hide
)
Description:
Patch for Heimdal
Filename:
MIME Type:
Creator:
Jennifer Sutton
Created:
2023-09-26 03:04:07 UTC
Size:
2.02 KB
patch
obsolete
>From 551c4b42142e8de63ade61d58649149855cf32bf Mon Sep 17 00:00:00 2001 >From: Joseph Sutton <josephsutton@catalyst.net.nz> >Date: Fri, 29 Apr 2022 12:18:37 +1200 >Subject: [PATCH] third_party/heimdal: Enforce hardware authentication for > accounts requiring it > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > kdc/kerberos5.c | 12 ++++++++++-- > 1 file changed, 10 insertions(+), 2 deletions(-) > >diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c >index d5ed939945..0f62e7fb42 100644 >--- a/kdc/kerberos5.c >+++ b/kdc/kerberos5.c >@@ -990,6 +990,7 @@ struct kdc_patypes { > #define PA_SYNTHETIC_OK 4 > #define PA_REPLACE_REPLY_KEY 8 /* PA mech replaces reply key */ > #define PA_USES_LONG_TERM_KEY 16 /* PA mech uses client's long-term key */ >+#define PA_HARDWARE_AUTH 32 /* PA mech uses hardware authentication */ > krb5_error_code (*validate)(astgs_request_t, const PA_DATA *pa); > krb5_error_code (*finalize_pac)(astgs_request_t r); > void (*cleanup)(astgs_request_t r); >@@ -999,11 +1000,11 @@ static const struct kdc_patypes pat[] = { > #ifdef PKINIT > { > KRB5_PADATA_PK_AS_REQ, "PK-INIT(ietf)", >- PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY, >+ PA_ANNOUNCE | PA_SYNTHETIC_OK | PA_REPLACE_REPLY_KEY | PA_HARDWARE_AUTH, > pa_pkinit_validate, NULL, NULL > }, > { >- KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", PA_ANNOUNCE | PA_REPLACE_REPLY_KEY, >+ KRB5_PADATA_PK_AS_REQ_WIN, "PK-INIT(win2k)", PA_ANNOUNCE | PA_REPLACE_REPLY_KEY | PA_HARDWARE_AUTH, > pa_pkinit_validate, NULL, NULL > }, > { >@@ -2245,6 +2246,13 @@ _kdc_as_rep(astgs_request_t r) > ret = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; > goto out; > } >+ if (r->client->flags.require_hwauth && >+ !(pat[n].flags & PA_HARDWARE_AUTH)) { >+ kdc_log(r->context, config, 4, "Hardware authentication required for %s", r->cname); >+ >+ ret = KRB5KDC_ERR_POLICY; >+ goto out; >+ } > kdc_audit_addkv((kdc_request_t)r, KDC_AUDIT_VIS, "pa", "%s", > pat[n].name); > ret = pat[n].validate(r, pa); >-- >2.39.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15045
:
18125
| 18126