[19776] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

kdc u2u patch, kind of a bugfix...

daemon@ATHENA.MIT.EDU (Chris Hecker)
Mon Jul 23 07:54:08 2018

To: krbdev@mit.edu
From: Chris Hecker <checker@d6.com>
Message-ID: <dcb4e59a-217f-b7ed-8dd4-49828c4d115f@d6.com>
Date: Mon, 23 Jul 2018 04:53:43 -0700
MIME-Version: 1.0
Content-Language: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu


Hi, I'm finally getting around to porting my old 1.9 patches to the 
latest krb5 source code, and here's the first one...I'll do this as a 
pull request, but figured maybe it wanted some discussion?  Or do you 
prefer the discussion to happen on the pull request?

Anyway, the kdc checks if KRB5_KDB_DISALLOW_SVR is set, and if it is, 
then it errors with a KDC_ERR_MUST_USE_USER2USER, except it doesn't 
actually handle the case where I am actually using u2u, so this fixes that.

I haven't tested it on 1.16 yet (will this week), but it has had 5 years 
of testing on 1.9!  :)

I'm also going to submit my old patch that disables ticket issuing if 
allow_tix has been turned off, as discussed here years ago, and with 
that I fixed the db_entry pass-by-value stuff in kdc_util.c, which I 
found was listed here: https://k5wiki.kerberos.org/wiki/Cleanups so I 
assume you'd be interested in those changes as well.

Chris


diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 21af360..0356a47 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -733,7 +733,8 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
      }

      /* Check to see if server is allowed to be a service */
-    if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
+    if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR) &&
+        !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
          *status = "SERVICE NOT ALLOWED";
          return(KDC_ERR_MUST_USE_USER2USER);
      }
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post