mirror of
https://git.FreeBSD.org/ports.git
synced 2024-10-20 20:09:11 +00:00
23733c0471
KRB5 1.16 releases. Major changes in 1.16 (2017-12-05) ================================== Administrator experience: * The KDC can match PKINIT client certificates against the "pkinit_cert_match" string attribute on the client principal entry, using the same syntax as the existing "pkinit_cert_match" profile option. * The ktutil addent command supports the "-k 0" option to ignore the key version, and the "-s" option to use a non-default salt string. * kpropd supports a --pid-file option to write a pid file at startup, when it is run in standalone mode. * The "encrypted_challenge_indicator" realm option can be used to attach an authentication indicator to tickets obtained using FAST encrypted challenge pre-authentication. * Localization support can be disabled at build time with the --disable-nls configure option. Developer experience: * The kdcpolicy pluggable interface allows modules control whether tickets are issued by the KDC. * The kadm5_auth pluggable interface allows modules to control whether kadmind grants access to a kadmin request. * The certauth pluggable interface allows modules to control which PKINIT client certificates can authenticate to which client principals. * KDB modules can use the client and KDC interface IP addresses to determine whether to allow an AS request. * GSS applications can query the bit strength of a krb5 GSS context using the GSS_C_SEC_CONTEXT_SASL_SSF OID with gss_inquire_sec_context_by_oid(). * GSS applications can query the impersonator name of a krb5 GSS credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with gss_inquire_cred_by_oid(). * kdcpreauth modules can query the KDC for the canonicalized requested client principal name, or match a principal name against the requested client principal name with canonicalization. Protocol evolution: * The client library will continue to try pre-authentication mechanisms after most failure conditions. * The KDC will issue trivially renewable tickets (where the renewable lifetime is equal to or less than the ticket lifetime) if requested by the client, to be friendlier to scripts. * The client library will use a random nonce for TGS requests instead of the current system time. * For the RC4 string-to-key or PAC operations, UTF-16 is supported (previously only UCS-2 was supported). * When matching PKINIT client certificates, UPN SANs will be matched correctly as UPNs, with canonicalization. User experience: * Dates after the year 2038 are accepted (provided that the platform time facilities support them), through the year 2106. * Automatic credential cache selection based on the client realm will take into account the fallback realm and the service hostname. * Referral and alternate cross-realm TGTs will not be cached, avoiding some scenarios where they can be added to the credential cache multiple times. * A German translation has been added.
76 lines
2.1 KiB
C
76 lines
2.1 KiB
C
--- lib/krb5/os/localaddr.c.orig 2009-10-30 20:17:27.000000000 -0700
|
|
+++ lib/krb5/os/localaddr.c 2010-04-19 12:39:56.707090973 -0700
|
|
@@ -175,6 +175,7 @@
|
|
}
|
|
#endif
|
|
|
|
+#if 0
|
|
static int
|
|
is_loopback_address(struct sockaddr *sa)
|
|
{
|
|
@@ -191,6 +192,7 @@
|
|
return 0;
|
|
}
|
|
}
|
|
+#endif
|
|
|
|
#ifdef HAVE_IFADDRS_H
|
|
#include <ifaddrs.h>
|
|
@@ -467,12 +469,14 @@
|
|
ifp->ifa_flags &= ~IFF_UP;
|
|
continue;
|
|
}
|
|
+#if 0
|
|
if (is_loopback_address(ifp->ifa_addr)) {
|
|
/* Pretend it's not up, so the second pass will skip
|
|
it. */
|
|
ifp->ifa_flags &= ~IFF_UP;
|
|
continue;
|
|
}
|
|
+#endif
|
|
/* If this address is a duplicate, punt. */
|
|
match = 0;
|
|
for (ifp2 = ifp_head; ifp2 && ifp2 != ifp; ifp2 = ifp2->ifa_next) {
|
|
@@ -601,11 +605,13 @@
|
|
}
|
|
/*@=moduncon@*/
|
|
|
|
+#if 0
|
|
/* None of the current callers want loopback addresses. */
|
|
if (is_loopback_address((struct sockaddr *)&lifr->lifr_addr)) {
|
|
Tprintf ((" loopback\n"));
|
|
goto skip;
|
|
}
|
|
+#endif
|
|
/* Ignore interfaces that are down. */
|
|
if ((lifreq.lifr_flags & IFF_UP) == 0) {
|
|
Tprintf ((" down\n"));
|
|
@@ -772,11 +778,13 @@
|
|
}
|
|
/*@=moduncon@*/
|
|
|
|
+#if 0
|
|
/* None of the current callers want loopback addresses. */
|
|
if (is_loopback_address(&lifr->iflr_addr)) {
|
|
Tprintf ((" loopback\n"));
|
|
goto skip;
|
|
}
|
|
+#endif
|
|
/* Ignore interfaces that are down. */
|
|
if ((lifreq.iflr_flags & IFF_UP) == 0) {
|
|
Tprintf ((" down\n"));
|
|
@@ -987,11 +995,13 @@
|
|
}
|
|
/*@=moduncon@*/
|
|
|
|
+#if 0
|
|
/* None of the current callers want loopback addresses. */
|
|
if (is_loopback_address(&ifreq.ifr_addr)) {
|
|
Tprintf ((" loopback\n"));
|
|
goto skip;
|
|
}
|
|
+#endif
|
|
/* Ignore interfaces that are down. */
|
|
if ((ifreq.ifr_flags & IFF_UP) == 0) {
|
|
Tprintf ((" down\n"));
|