[19817] in Kerberos_V5_Development

home help back first fref pref prev next nref lref last post

Re: kdc: cross realm s4u2self handling

daemon@ATHENA.MIT.EDU (Isaac Boukris)
Thu Sep 20 22:51:12 2018

MIME-Version: 1.0
In-Reply-To: <b4751f59-6ea4-1300-2cb8-1880697ceeac@mit.edu>
From: Isaac Boukris <iboukris@gmail.com>
Date: Fri, 21 Sep 2018 08:20:45 +0530
Message-ID: <CAC-fF8RUgZnE9AZTjSeWsD_OPHq-wAXEyzdr3xErKM+3Vo2Jtg@mail.gmail.com>
To: Greg Hudson <ghudson@mit.edu>
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu

On Thu, Sep 20, 2018 at 4:03 AM, Greg Hudson <ghudson@mit.edu> wrote:
> It occurs to me that a within-realm S4U2Self request (i.e. one using a local
> TGT header ticket rather than a cross-TGT one) should still fail if it
> results in a referral.  I will try to put together a test case for that.

I see, though I'm not sure I understand how this would happen.

At any case, would it suffice to condition the check on:
is_local_principal(kdc_active_realm, header_ticket->server)
Or perhaps on (are those two necessarily equivalent here btw?):
!is_cross_tgs_principal(header_ticket->server)


Note, in case of a local TGT header ticket, I think we could add:
if (client == NULL)
    KRB5KDC_ERR_POLICY;
The client here being the principal to impersonate, which must be
local in that case.

This would help to return the same error as Windows in case when bad
implementation (e.g. current heimdal), use a local TGT to request a
s4u2self ticket from its own KDC on behalf of a foreign principal.
I'll need to add that logic to my heimdal kdc changes as well, as
currently it only fails there on PAC logon-name mismatch.

>> Other than that, what do you think of the pac_verify/sign_ex() routines,
>> does it look ok?
>
> I looked over them briefly and don't have a problem with them.  If you
> submit a PR I will examine them more closely and cross-check against
> [MS-PAC] and [MS-SFU].

I'll submit a PR soon, thanks a lot for all the feedback.
_______________________________________________
krbdev mailing list             krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev

home help back first fref pref prev next nref lref last post