| commit | f5622f9aa3bc05c3a40b7286387e25b7cd05dee4 | |
| author | Stefan Becker <chemobejk@gmail.com> | |
| Tue, 26 Feb 2013 12:58:55 +0000 (26 14:58 +0200) | ||
| committer | Stefan Becker <chemobejk@gmail.com> | |
| Tue, 26 Feb 2013 13:31:43 +0000 (26 15:31 +0200) | ||
| tree | ae66c2c69a4651341a93f42b19e2dedb13228436 | treesnapshot (tar.gz zip) |
| parent | 03802c8b8d0110b7f344bc7f15fccb833327b938 | commitdiff |
security: improve Kerberos w/o Single Sign-On & SSPI
This only affects setups with libkrb5 compiled in. This only affects
accounts where the user has provided user or login name, password,
selected "Kerberos" and not selected "Single Sign-On".
- connecting to the OCS server will trigger the first Kerberos security
context initiation. This will succeed if the user
* has either set up Kerberos Single Sign-On on the system, or
* has already a valid TGT in the Kerberos credential cache from a
previous SIPE run
- if this attempt fails we try to obtain a TGT using the authentication
information provided by the user. Then we'll retry to acquire the
credentials and initialization of the security context.
- if all of this fails then the SIP connection won't succeed, leading to
an account disconnect
- for all further Kerberos security context initiation attempts we are
guaranteed to have a valid TGT, i.e those should succeed and therefore
we won't allow retry for them.
Improvements to sip_sec_krb5_obtain_tgt():
- fixed memory leaks
- don't blindly initialize the users default credential cache. Only do
this if the first attempt to store our TGT into it fails.
This only affects setups with libkrb5 compiled in. This only affects
accounts where the user has provided user or login name, password,
selected "Kerberos" and not selected "Single Sign-On".
- connecting to the OCS server will trigger the first Kerberos security
context initiation. This will succeed if the user
* has either set up Kerberos Single Sign-On on the system, or
* has already a valid TGT in the Kerberos credential cache from a
previous SIPE run
- if this attempt fails we try to obtain a TGT using the authentication
information provided by the user. Then we'll retry to acquire the
credentials and initialization of the security context.
- if all of this fails then the SIP connection won't succeed, leading to
an account disconnect
- for all further Kerberos security context initiation attempts we are
guaranteed to have a valid TGT, i.e those should succeed and therefore
we won't allow retry for them.
Improvements to sip_sec_krb5_obtain_tgt():
- fixed memory leaks
- don't blindly initialize the users default credential cache. Only do
this if the first attempt to store our TGT into it fails.
| src/core/sip-sec-krb5.c | diffblobblamehistory |