[30276] in CVS-changelog-for-Kerberos-V5
krb5 commit: Limit matching of user-to-user ccache credentials
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Aug 27 18:19:38 2018
Date: Mon, 27 Aug 2018 18:19:31 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201808272219.w7RMJVM3011863@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/77ee8336c3f4d39d12146d8a631f9abd595d4cbb
commit 77ee8336c3f4d39d12146d8a631f9abd595d4cbb
Author: Greg Hudson <ghudson@mit.edu>
Date: Fri Aug 3 00:36:10 2018 -0400
Limit matching of user-to-user ccache credentials
In krb5int_cc_creds_match_request(), do not yield a user-to-user
credential if the caller is not looking for one; it would not be
useful when a normal service ticket (encrypted in the service key) is
required. Reported by Todd Lubin.
ticket: 8718
src/lib/krb5/ccache/cc_retr.c | 5 +++++
src/tests/t_u2u.py | 8 ++++++++
2 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c
index e8a20fe..c835129 100644
--- a/src/lib/krb5/ccache/cc_retr.c
+++ b/src/lib/krb5/ccache/cc_retr.c
@@ -164,6 +164,11 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes)
krb5_boolean
krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds)
{
+ /* Only match a user-to-user credential if explicitly asked for, since the
+ * ticket won't work as a regular service ticket. */
+ if (! set(KRB5_TC_MATCH_IS_SKEY) && creds->is_skey)
+ return FALSE;
+
if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
srvname_match(context, mcreds, creds)) ||
standard_fields_match(context, mcreds, creds))
diff --git a/src/tests/t_u2u.py b/src/tests/t_u2u.py
index 8905dc2..1ca6ac8 100644
--- a/src/tests/t_u2u.py
+++ b/src/tests/t_u2u.py
@@ -21,7 +21,15 @@ realm.run([kvno, 'alice'], expected_code=1,
realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_msg='kvno = 0')
realm.run([kadminl, 'modprinc', '+allow_svr', 'alice'])
+# Verify that normal lookups ignore the user-to-user ticket.
+realm.run([kvno, 'alice'], expected_msg='kvno = 1')
+out = realm.run([klist])
+if out.count('alice@KRBTEST.COM') != 2:
+ fail('expected two alice tickets after regular kvno')
+
# Try u2u against the client user.
realm.run([kvno, '--u2u', realm.ccache, realm.user_princ])
realm.run([klist])
+
+success('user-to-user tests')
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
