[26658] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Try harder to make keytab-based AS requests work

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Jul 1 14:20:21 2012

Date: Sun, 1 Jul 2012 14:20:17 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201207011820.q61IKHIj027663@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/18b02f3e839c007fff54fc9b693f479b7563ec73
commit 18b02f3e839c007fff54fc9b693f479b7563ec73
Author: Greg Hudson <ghudson@mit.edu>
Date:   Sun Jul 1 14:19:56 2012 -0400

    Try harder to make keytab-based AS requests work
    
    When making a keytab-based AS request, a client has to choose between
    sending its reply key enctype preference list (the enctypes it has in
    the keytab) and its session key enctype preference list (all of the
    enctypes it supports).  Heimdal and MIT krb5 1.11 clients send the
    reply key preference list.  If this list doesn't overlap with the
    server principal keys (say, because the krbtgt principal has only a
    DES key), then the AS request will fail.
    
    Try to make this work by making the KDC optimistically pick the first
    permitted enctype in the request as the session key, even though it
    can't be certain that other KDCs in the realm support that enctype.
    
    Make sure to exercise this case in t_keytab.py by doing a multipass
    keytab kinit test.
    
    ticket: 7190 (new)

 src/kdc/kdc_util.c    |   17 ++++++++++++++++-
 src/tests/t_keytab.py |    7 ++++---
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 3c2169e..48947c6 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -1517,7 +1517,7 @@ validate_tgs_request(register krb5_kdc_req *request, krb5_db_entry server,
 }
 
 /* Return true if we believe server can support enctype as a session key. */
-krb5_boolean
+static krb5_boolean
 dbentry_supports_enctype(krb5_context context, krb5_db_entry *server,
                          krb5_enctype enctype)
 {
@@ -1571,6 +1571,7 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
                        int nktypes, krb5_enctype *ktype)
 {
     int         i;
+    krb5_enctype first_permitted = 0;
 
     for (i = 0; i < nktypes; i++) {
         if (!krb5_c_valid_enctype(ktype[i]))
@@ -1579,9 +1580,23 @@ select_session_keytype(krb5_context context, krb5_db_entry *server,
         if (!krb5_is_permitted_enctype(context, ktype[i]))
             continue;
 
+        if (first_permitted == 0)
+            first_permitted = ktype[i];
+
         if (dbentry_supports_enctype(context, server, ktype[i]))
             return ktype[i];
     }
+
+    /*
+     * If we didn't find a match and the server is the local TGS server, this
+     * could be a keytab-based AS request where the keytab enctypes don't
+     * overlap the TGT principal enctypes.  Try to make this work by using the
+     * first permitted enctype in the request, even though we can't be certain
+     * that other KDCs in the realm support it.
+     */
+    if (krb5_principal_compare(context, server->princ, tgs_server))
+        return first_permitted;
+
     return 0;
 }
 
diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py
index f56c7bb..ef303f1 100644
--- a/src/tests/t_keytab.py
+++ b/src/tests/t_keytab.py
@@ -1,10 +1,11 @@
 #!/usr/bin/python
 from k5test import *
 
-realm = K5Realm()
+for realm in multipass_realms(create_user=False):
+    # Test kinit with a keytab.
+    realm.kinit(realm.host_princ, flags=['-k'])
 
-# Test kinit with a keytab.
-realm.kinit(realm.host_princ, flags=['-k'])
+realm = K5Realm(get_creds=False)
 
 # Test kinit with a partial keytab.
 pkeytab = realm.keytab + '.partial'
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post