[30262] in CVS-changelog-for-Kerberos-V5
krb5 commit: Allow u2u requests when -allow_svr is set
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Jul 30 11:00:54 2018
Date: Mon, 30 Jul 2018 11:00:43 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201807301500.w6UF0hKP015242@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/23dc2efc6419c7abbac183a46ed89a16be33a48a
commit 23dc2efc6419c7abbac183a46ed89a16be33a48a
Author: Chris Hecker <checker@d6.com>
Date: Wed Jul 25 00:57:23 2018 -0500
Allow u2u requests when -allow_svr is set
If KRB5_KDB_DISALLOW_SVR is set on the server principal, still allow
user-to-user tickets to be issued unless KRB5_KDB_DISALLOW_DUP_SKEY is
also set. This change makes the KDC_ERR_MUST_USE_USER2USER error
message more appropriate.
ticket: 2641
[ghudson@mit.edu: added test case; updated documentation based on
suggestions by Patrick Moore; edited commit message]
doc/admin/admin_commands/kadmin_local.rst | 9 ++++++---
doc/admin/conf_files/kdc_conf.rst | 9 +++++----
src/appl/user_user/t_user2user.py | 6 ++++++
src/kdc/tgs_policy.c | 3 ++-
4 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst
index 9b5ccf4..0321202 100644
--- a/doc/admin/admin_commands/kadmin_local.rst
+++ b/doc/admin/admin_commands/kadmin_local.rst
@@ -297,8 +297,9 @@ Options:
{-\|+}\ **allow_dup_skey**
**-allow_dup_skey** disables user-to-user authentication for this
- principal by prohibiting this principal from obtaining a session
- key for another user. **+allow_dup_skey** clears this flag.
+ principal by prohibiting others from obtaining a service ticket
+ encrypted in this principal's TGT session key.
+ **+allow_dup_skey** clears this flag.
{-\|+}\ **requires_preauth**
**+requires_preauth** requires this principal to preauthenticate
@@ -325,7 +326,9 @@ Options:
{-\|+}\ **allow_svr**
**-allow_svr** prohibits the issuance of service tickets for this
- principal. **+allow_svr** clears this flag.
+ principal. In release 1.17 and later, user-to-user service
+ tickets are still allowed unless the **-allow_dup_skey** flag is
+ also set. **+allow_svr** clears this flag.
{-\|+}\ **allow_tgs_req**
**-allow_tgs_req** specifies that a Ticket-Granting Service (TGS)
diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst
index ea185ae..227c76d 100644
--- a/doc/admin/conf_files/kdc_conf.rst
+++ b/doc/admin/conf_files/kdc_conf.rst
@@ -134,9 +134,8 @@ The following tags may be specified in a [realms] subsection:
the principal within this realm.
**dup-skey**
- Enabling this flag allows the principal to obtain a session
- key for another user, permitting user-to-user authentication
- for this principal.
+ Enabling this flag allows the KDC to issue user-to-user
+ service tickets for this principal.
**forwardable**
Enabling this flag allows the principal to obtain forwardable
@@ -193,7 +192,9 @@ The following tags may be specified in a [realms] subsection:
**service**
Enabling this flag allows the the KDC to issue service tickets
- for this principal.
+ for this principal. In release 1.17 and later, user-to-user
+ service tickets are still allowed if the **dup-skey** flag is
+ set.
**tgt-based**
Enabling this flag allows a principal to obtain tickets based
diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py
index 2c054f1..0d50d66 100755
--- a/src/appl/user_user/t_user2user.py
+++ b/src/appl/user_user/t_user2user.py
@@ -4,6 +4,12 @@ from k5test import *
debug_compiled=1
for realm in multipass_realms():
+ # Verify that -allow_svr denies regular TGS requests, but allows
+ # user-to-user TGS requests.
+ realm.run([kadminl, 'modprinc', '-allow_svr', realm.user_princ])
+ realm.run([kvno, realm.user_princ], expected_code=1,
+ expected_msg='Server principal valid for user2user only')
+
if debug_compiled == 0:
realm.start_in_inetd(['./uuserver', 'uuserver'], port=9999)
else:
diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c
index 4c08e44..907fcd3 100644
--- a/src/kdc/tgs_policy.c
+++ b/src/kdc/tgs_policy.c
@@ -146,7 +146,8 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry server,
*status = "SERVER LOCKED OUT";
return KDC_ERR_S_PRINCIPAL_UNKNOWN;
}
- if (server.attributes & KRB5_KDB_DISALLOW_SVR) {
+ if ((server.attributes & KRB5_KDB_DISALLOW_SVR) &&
+ !(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) {
*status = "SERVER NOT ALLOWED";
return KDC_ERR_MUST_USE_USER2USER;
}
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
