summaryrefslogtreecommitdiff
path: root/source4/kdc/kpasswd-service-heimdal.c
Commit message (Collapse)AuthorAgeFilesLines
* s4:kdc: Set Kerberos debug class for all KDC filesAndreas Schneider2022-09-121-0/+3
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Sep 12 03:27:55 UTC 2022 on sn-devel-184
* CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd ticketsJoseph Sutton2022-07-271-0/+13
| | | | | | | | | | | | | | | | | | If TGTs can be used as kpasswd tickets, the two-minute lifetime of a authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets are not supposed to be cached, but using this flaw, a stolen credentials cache containing a TGT may be used to change that account's password, and thus is made more valuable to an attacker. Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and service tickets without it, we assert the absence of this buffer to ensure we're not accepting a TGT. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4:kpasswd: Restructure code for clarityJoseph Sutton2022-07-271-24/+22
| | | | | | | View with 'git show -b'. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 s4:kpasswd: Require an initial ticketJoseph Sutton2022-07-271-0/+17
| | | | | | | | | | | Ensure that for password changes the client uses an AS-REQ to get the ticket to kpasswd, and not a TGS-REQ. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* kdc: Remove pre-check for existing NT and LM hash from kpasswdAndrew Bartlett2022-03-171-1/+0
| | | | | | | | | We no longer use the old NT and LM hash as proof of performing a password change, and this removes the privileged status of these attributes. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
* s4: rename source4/smbd/ to source4/samba/Ralph Boehme2020-11-271-1/+1
| | | | | | | | Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Fri Nov 27 10:07:18 UTC 2020 on sn-devel-184
* s4-kdc: Add new kpasswd service Heimdal backendAndreas Schneider2016-09-131-0/+296
Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
View Lorry Controller Status