[27358] in CVS-changelog-for-Kerberos-V5
krb5 commit [krb5-1.11]: Don't return a host referral to the service
daemon@ATHENA.MIT.EDU (Tom Yu)
Fri Dec 7 13:24:27 2012
Date: Fri, 7 Dec 2012 13:24:09 -0500
From: Tom Yu <tlyu@mit.edu>
Message-Id: <201212071824.qB7IO9CV024403@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/890ab3119c83c0adc0b61c1c389356b83090c8ee
commit 890ab3119c83c0adc0b61c1c389356b83090c8ee
Author: Greg Hudson <ghudson@mit.edu>
Date: Thu Dec 6 21:40:05 2012 -0500
Don't return a host referral to the service realm
A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst. Don't
respond with one in the KDC.
(cherry picked from commit ee0d5eac353a13a194759b72cb44203fda1bf0fa)
ticket: 7483
version_fixed: 1.11
status: resolved
src/kdc/do_tgs_req.c | 4 +++-
src/tests/Makefile.in | 1 +
src/tests/t_referral.py | 21 +++++++++++++++++++++
3 files changed, 25 insertions(+), 1 deletions(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index b77c9eb..d41bc5d 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1148,7 +1148,9 @@ find_referral_tgs(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request,
kdc_err(kdc_context, retval, "unable to find realm of host");
goto cleanup;
}
- if (realms == NULL || realms[0] == '\0') {
+ /* Don't return a referral to the empty realm or the service realm. */
+ if (realms == NULL || realms[0] == '\0' ||
+ data_eq_string(srealm, realms[0])) {
retval = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
goto cleanup;
}
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 5bb2b04..c79c089 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -78,6 +78,7 @@ check-pytests:: hist
$(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_sesskeynego.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
+ $(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS)
$(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
new file mode 100644
index 0000000..6654d71
--- /dev/null
+++ b/src/tests/t_referral.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python
+from k5test import *
+
+# We should have a comprehensive suite of KDC host referral tests
+# here, based on the tests in the kdc_realm subdir. For now, we just
+# have a regression test for #7483.
+
+# A KDC should not return a host referral to its own realm.
+krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}}
+kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}}
+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False)
+tracefile = os.path.join(realm.testdir, 'trace')
+realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
+ expected_code=1)
+f = open(tracefile, 'r')
+trace = f.read()
+f.close()
+if 'back to same realm' in trace:
+ fail('KDC returned referral to service realm')
+
+success('KDC host referral tests')
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
