[30598] in CVS-changelog-for-Kerberos-V5

home help back first fref pref prev next nref lref last post

krb5 commit: Allow client canonicalization in non-krbtgt AS-REP

daemon@ATHENA.MIT.EDU (Greg Hudson)
Sun Nov 3 13:56:45 2019

Date: Sun, 3 Nov 2019 13:56:39 -0500
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <201911031856.xA3IudfL004097@drugstore.mit.edu>
To: <cvs-krb5@mit.edu>
MIME-Version: 1.0
Reply-To: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu

https://github.com/krb5/krb5/commit/c6c19b1d35c6523cb7ed220c1f2e97e12e039293
commit c6c19b1d35c6523cb7ed220c1f2e97e12e039293
Author: Isaac Boukris <iboukris@gmail.com>
Date:   Tue Oct 15 20:41:49 2019 +0300

    Allow client canonicalization in non-krbtgt AS-REP
    
    If a caller makes an AS-REQ with the canonicalize flag set (or with an
    enterprise client principal or the anonymous flag), always allow the
    KDC to change the client principal.  Continue to restrict server name
    changes to requests for TGS principals.
    
    Also remove the conditional for setting canon_ok for fully anonymous
    requests.  Both kinds of anonymous requests change the client
    principal or realm, but neither kind changes the server principal or
    realm, so this logic is no longer needed now that canon_ok only
    applies to server name changes.
    
    [ghudson@mit.edu: clarified commit message; removed anonymous PKINIT
    clause]
    
    ticket: 8843 (new)

 src/lib/krb5/krb/get_in_tkt.c |    9 ++-------
 src/tests/t_kdb.py            |    3 +++
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index dcf6663..870df62 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -230,17 +230,12 @@ verify_as_reply(krb5_context            context,
     if (canon_req) {
         canon_ok = IS_TGS_PRINC(request->server) &&
             IS_TGS_PRINC(as_reply->enc_part2->server);
-        if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) {
-            canon_ok = krb5_principal_compare_any_realm(context,
-                                                        as_reply->client,
-                                                        krb5_anonymous_principal());
-        }
     } else
         canon_ok = 0;
 
     if ((!canon_ok &&
-         (!krb5_principal_compare(context, as_reply->client, request->client) ||
-          !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)))
+         !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))
+        || (!canon_req && !krb5_principal_compare(context, as_reply->client, request->client))
         || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server)
         || (request->nonce != as_reply->enc_part2->nonce)
         /* XXX check for extraneous flags */
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7a082a5..cc5d2fc 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -389,6 +389,9 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
 realm.kinit('canon', password('canon'))
 realm.kinit('alias', password('canon'), ['-C'])
 
+# Test client name canonicalization in non-krbtgt AS reply
+realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw'])
+
 mark('LDAP password history')
 
 # Test password history.
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
home help back first fref pref prev next nref lref last post