Limit matching of user-to-user ccache credentials

In krb5int_cc_creds_match_request(), do not yield a user-to-user
credential if the caller is not looking for one; it would not be
useful when a normal service ticket (encrypted in the service key) is
required.  Reported by Todd Lubin.

ticket: 8718

diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c
index e8a20fe3600145a5fb814e80beeadf3b436a72db..c8351295971cf30c2405548b9fa7c37e57d14e1c 100644 (file)
--- a/src/lib/krb5/ccache/cc_retr.c
+++ b/src/lib/krb5/ccache/cc_retr.c
@@ -164,6 +164,11 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes)
 krb5_boolean
 krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds)
 {
+    /* Only match a user-to-user credential if explicitly asked for, since the
+     * ticket won't work as a regular service ticket. */
+    if (! set(KRB5_TC_MATCH_IS_SKEY) && creds->is_skey)
+        return FALSE;
+
     if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) &&
           srvname_match(context, mcreds, creds)) ||
          standard_fields_match(context, mcreds, creds))

diff --git a/src/tests/t_u2u.py b/src/tests/t_u2u.py
index 8905dc209a00d382a9c8006c462249801cf1f959..1ca6ac87e2df872b5f57c3a6748152098f17ee5c 100644 (file)
--- a/src/tests/t_u2u.py
+++ b/src/tests/t_u2u.py
@@ -21,7 +21,15 @@ realm.run([kvno, 'alice'], expected_code=1,
 realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_msg='kvno = 0')
 realm.run([kadminl, 'modprinc', '+allow_svr', 'alice'])
 
+# Verify that normal lookups ignore the user-to-user ticket.
+realm.run([kvno, 'alice'], expected_msg='kvno = 1')
+out = realm.run([klist])
+if out.count('alice@KRBTEST.COM') != 2:
+    fail('expected two alice tickets after regular kvno')
+
 # Try u2u against the client user.
 realm.run([kvno, '--u2u', realm.ccache, realm.user_princ])
 
 realm.run([klist])
+
+success('user-to-user tests')