rpms/krb5/devel krb5-ok-as-delegate.patch, NONE, 1.1 krb5.spec, 1.127, 1.128
Nalin Somabhai Dahyabhai (nalin)
fedora-extras-commits at redhat.com
Sat Aug 25 04:28:43 UTC 2007
- Previous message (by thread): rpms/corkscrew/devel corkscrew.1, NONE, 1.1 corkscrew-2.0-from-debian.patch, 1.1, 1.2 corkscrew.spec, 1.2, 1.3
- Next message (by thread): rpms/krb5/devel krb5-1.6.1-selinux-label.patch, 1.1, 1.2 krb5.spec, 1.128, 1.129
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: nalin
Update of /cvs/extras/rpms/krb5/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv29796
Modified Files:
krb5.spec
Added Files:
krb5-ok-as-delegate.patch
Log Message:
- experimental ok-as-delegate setting patch (not applied)
krb5-ok-as-delegate.patch:
--- NEW FILE krb5-ok-as-delegate.patch ---
This appears to be the minimum needed to be able to set the OK-AS-DELEGATE
flag on an entry using kadmin, and to have the flag propagate back to clients
from the KDC. Note: this affects the KDB storage format, so this MUST NOT be
used until it's in upstream's tree.
Index: doc/admin.texinfo
===================================================================
--- doc/admin.texinfo (revision 19683)
+++ doc/admin.texinfo (working copy)
@@ -2758,6 +2758,13 @@
@samp{KRB5_KDB_REQURES_HW_AUTH} flag.) @code{-requires_hwauth} clears
this flag.
+ at itemx @{-|+@}ok_as_delegate
+ at code{+ok_as_delegate} sets the OK-AS-DELEGATE flag on tickets issued for use
+with this principal as the service, which clients may use as a hint that
+credentials can and should be delegated when authenticating to the service.
+(Sets the @samp{KRB5_KDB_OK_AS_DELEGATE} flag.) @code{-ok_as_delegate} clears
+this flag.
+
@itemx @{-|+@}allow_svr
@code{-allow_svr} prohibits the issuance of service tickets for principals. (Sets the @samp{KRB5_KDB_DISALLOW_SVR} flag.) @code{+allow_svr} clears this flag.
Index: src/include/kdb.h
===================================================================
--- src/include/kdb.h (revision 19683)
+++ src/include/kdb.h (working copy)
@@ -79,6 +79,7 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
+#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
/* Creation flags */
#define KRB5_KDB_CREATE_BTREE 0x00000001
Index: src/kdc/do_tgs_req.c
===================================================================
--- src/kdc/do_tgs_req.c (revision 19683)
+++ src/kdc/do_tgs_req.c (working copy)
@@ -533,6 +533,10 @@
goto cleanup;
}
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
ticket_reply.enc_part2 = &enc_tkt_reply;
/*
Index: src/kdc/do_as_req.c
===================================================================
--- src/kdc/do_as_req.c (revision 19683)
+++ src/kdc/do_as_req.c (working copy)
@@ -257,6 +257,10 @@
enc_tkt_reply.caddrs = request->addresses;
enc_tkt_reply.authorization_data = 0;
+ if (isflagset(server.attributes, KRB5_KDB_OK_AS_DELEGATE)) {
+ setflag(enc_tkt_reply.flags, TKT_FLG_OK_AS_DELEGATE);
+ }
+
/*
* Check the preauthentication if it is there.
*/
Index: src/kadmin/cli/kadmin.c
===================================================================
--- src/kadmin/cli/kadmin.c (revision 19683)
+++ src/kadmin/cli/kadmin.c (working copy)
@@ -65,7 +65,8 @@
{"needchange", 10, KRB5_KDB_REQUIRES_PWCHANGE, 0},
{"allow_svr", 9, KRB5_KDB_DISALLOW_SVR, 1},
{"password_changing_service", 25, KRB5_KDB_PWCHANGE_SERVICE, 0 },
-{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 }
+{"support_desmd5", 14, KRB5_KDB_SUPPORT_DESMD5, 0 },
+{"ok_as_delegate", 14, KRB5_KDB_OK_AS_DELEGATE, 0 }
};
static char *prflags[] = {
@@ -85,6 +86,7 @@
"PWCHANGE_SERVICE", /* 0x00002000 */
"SUPPORT_DESMD5", /* 0x00004000 */
"NEW_PRINC", /* 0x00008000 */
+ "OK_AS_DELEGATE" /* 0x00010000 */
};
char *getenv();
@@ -1101,6 +1103,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n");
}
@@ -1117,6 +1120,7 @@
"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n",
"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n",
"\t\trequires_hwauth needchange allow_svr password_changing_service\n"
+ "\t\tok_as_delegate\n"
"\nwhere,\n\t[-x db_princ_args]* - any number of database specific arguments.\n"
"\t\t\tLook at each database documentation for supported arguments\n"
);
Index: src/kadmin/cli/kadmin.M
===================================================================
--- src/kadmin/cli/kadmin.M (revision 19683)
+++ src/kadmin/cli/kadmin.M (working copy)
@@ -327,6 +327,16 @@
.B -requires_hwauth
clears this flag.
.TP
+{\fB\-\fP|\fB+\fP}\fBok_as_delegate\fP
+.B +ok_as_delegate
+sets the OK-AS-DELEGATE flag on tickets issued for use with this principal
+as the service, which clients may use as a hint that credentials can and
+should be delegated when authenticating to the service. (Sets the
+.SM KRB5_KDB_OK_AS_DELEGATE
+flag.)
+.B -ok_as_delegate
+clears this flag.
+.TP
{\fB\-\fP|\fB+\fP}\fBallow_svr\fP
.B -allow_svr
prohibits the issuance of service tickets for this principal. (Sets the
Index: src/lib/kadm5/str_conv.c
===================================================================
--- src/lib/kadm5/str_conv.c (revision 19683)
+++ src/lib/kadm5/str_conv.c (working copy)
@@ -73,6 +73,7 @@
static const char flags_tickets_in[] = "allow-tickets";
static const char flags_preauth_in[] = "preauth";
static const char flags_hwauth_in[] = "hwauth";
+static const char flags_ok_as_delegate_in[] = "ok-as-delegate";
static const char flags_pwchange_in[] = "pwchange";
static const char flags_service_in[] = "service";
static const char flags_pwsvc_in[] = "pwservice";
@@ -86,6 +87,7 @@
static const char flags_tickets_out[] = "All Tickets Disallowed";
static const char flags_preauth_out[] = "Preauthorization required";
static const char flags_hwauth_out[] = "HW Authorization required";
+static const char flags_ok_as_delegate_out[] = "OK as Delegate";
static const char flags_pwchange_out[] = "Password Change required";
static const char flags_service_out[] = "Service Disabled";
static const char flags_pwsvc_out[] = "Password Changing Service";
@@ -109,6 +111,7 @@
{ KRB5_KDB_DISALLOW_ALL_TIX, 0, flags_tickets_in, flags_tickets_out },
{ KRB5_KDB_REQUIRES_PRE_AUTH, 1, flags_preauth_in, flags_preauth_out },
{ KRB5_KDB_REQUIRES_HW_AUTH, 1, flags_hwauth_in, flags_hwauth_out },
+{ KRB5_KDB_OK_AS_DELEGATE, 1, flags_ok_as_delegate_in, flags_ok_as_delegate_out },
{ KRB5_KDB_REQUIRES_PWCHANGE, 1, flags_pwchange_in, flags_pwchange_out},
{ KRB5_KDB_DISALLOW_SVR, 0, flags_service_in, flags_service_out },
{ KRB5_KDB_PWCHANGE_SERVICE, 1, flags_pwsvc_in, flags_pwsvc_out },
Index: krb5.spec
===================================================================
RCS file: /cvs/extras/rpms/krb5/devel/krb5.spec,v
retrieving revision 1.127
retrieving revision 1.128
diff -u -r1.127 -r1.128
--- krb5.spec 23 Aug 2007 20:50:42 -0000 1.127
+++ krb5.spec 25 Aug 2007 04:28:10 -0000 1.128
@@ -89,6 +89,7 @@
Patch61: krb5-trunk-manpaths.patch
Patch62: krb5-any-fixup-patch.txt
Patch63: krb5-1.6.1-selinux-label.patch
+Patch64: krb5-ok-as-delegate.patch
License: MIT, freely distributable.
URL: http://web.mit.edu/kerberos/www/
@@ -1208,6 +1209,7 @@
#%patch57 -p1 -b .login_chdir
#%patch58 -p1 -b .key_exp
#%patch59 -p0 -b .kpasswd_tcp
+#%patch64 -p0 -b .ok-as-delegate
cp src/krb524/README README.krb524
gzip doc/*.ps
- Previous message (by thread): rpms/corkscrew/devel corkscrew.1, NONE, 1.1 corkscrew-2.0-from-debian.patch, 1.1, 1.2 corkscrew.spec, 1.2, 1.3
- Next message (by thread): rpms/krb5/devel krb5-1.6.1-selinux-label.patch, 1.1, 1.2 krb5.spec, 1.128, 1.129
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the fedora-extras-commits
mailing list