From: Chris Hecker Date: Wed, 25 Jul 2018 05:57:23 +0000 (-0500) Subject: Allow u2u requests when -allow_svr is set X-Git-Tag: krb5-1.17-beta1~69 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=23dc2efc6419c7abbac183a46ed89a16be33a48a;p=thirdparty%2Fkrb5.git Allow u2u requests when -allow_svr is set If KRB5_KDB_DISALLOW_SVR is set on the server principal, still allow user-to-user tickets to be issued unless KRB5_KDB_DISALLOW_DUP_SKEY is also set. This change makes the KDC_ERR_MUST_USE_USER2USER error message more appropriate. ticket: 2641 [ghudson@mit.edu: added test case; updated documentation based on suggestions by Patrick Moore; edited commit message] --- diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst index 9b5ccf4e91..0321202551 100644 --- a/doc/admin/admin_commands/kadmin_local.rst +++ b/doc/admin/admin_commands/kadmin_local.rst @@ -297,8 +297,9 @@ Options: {-\|+}\ **allow_dup_skey** **-allow_dup_skey** disables user-to-user authentication for this - principal by prohibiting this principal from obtaining a session - key for another user. **+allow_dup_skey** clears this flag. + principal by prohibiting others from obtaining a service ticket + encrypted in this principal's TGT session key. + **+allow_dup_skey** clears this flag. {-\|+}\ **requires_preauth** **+requires_preauth** requires this principal to preauthenticate @@ -325,7 +326,9 @@ Options: {-\|+}\ **allow_svr** **-allow_svr** prohibits the issuance of service tickets for this - principal. **+allow_svr** clears this flag. + principal. In release 1.17 and later, user-to-user service + tickets are still allowed unless the **-allow_dup_skey** flag is + also set. **+allow_svr** clears this flag. {-\|+}\ **allow_tgs_req** **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index ea185aeca6..227c76dd41 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -134,9 +134,8 @@ The following tags may be specified in a [realms] subsection: the principal within this realm. **dup-skey** - Enabling this flag allows the principal to obtain a session - key for another user, permitting user-to-user authentication - for this principal. + Enabling this flag allows the KDC to issue user-to-user + service tickets for this principal. **forwardable** Enabling this flag allows the principal to obtain forwardable @@ -193,7 +192,9 @@ The following tags may be specified in a [realms] subsection: **service** Enabling this flag allows the the KDC to issue service tickets - for this principal. + for this principal. In release 1.17 and later, user-to-user + service tickets are still allowed if the **dup-skey** flag is + set. **tgt-based** Enabling this flag allows a principal to obtain tickets based diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py index 2c054f1819..0d50d66858 100755 --- a/src/appl/user_user/t_user2user.py +++ b/src/appl/user_user/t_user2user.py @@ -4,6 +4,12 @@ from k5test import * debug_compiled=1 for realm in multipass_realms(): + # Verify that -allow_svr denies regular TGS requests, but allows + # user-to-user TGS requests. + realm.run([kadminl, 'modprinc', '-allow_svr', realm.user_princ]) + realm.run([kvno, realm.user_princ], expected_code=1, + expected_msg='Server principal valid for user2user only') + if debug_compiled == 0: realm.start_in_inetd(['./uuserver', 'uuserver'], port=9999) else: diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c index 4c08e44e62..907fcd3304 100644 --- a/src/kdc/tgs_policy.c +++ b/src/kdc/tgs_policy.c @@ -146,7 +146,8 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry server, *status = "SERVER LOCKED OUT"; return KDC_ERR_S_PRINCIPAL_UNKNOWN; } - if (server.attributes & KRB5_KDB_DISALLOW_SVR) { + if ((server.attributes & KRB5_KDB_DISALLOW_SVR) && + !(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) { *status = "SERVER NOT ALLOWED"; return KDC_ERR_MUST_USE_USER2USER; }