From: Greg Hudson Date: Fri, 3 Aug 2018 04:36:10 +0000 (-0400) Subject: Limit matching of user-to-user ccache credentials X-Git-Tag: krb5-1.17-beta1~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77ee8336c3f4d39d12146d8a631f9abd595d4cbb;p=thirdparty%2Fkrb5.git Limit matching of user-to-user ccache credentials In krb5int_cc_creds_match_request(), do not yield a user-to-user credential if the caller is not looking for one; it would not be useful when a normal service ticket (encrypted in the service key) is required. Reported by Todd Lubin. ticket: 8718 --- diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c index e8a20fe360..c835129597 100644 --- a/src/lib/krb5/ccache/cc_retr.c +++ b/src/lib/krb5/ccache/cc_retr.c @@ -164,6 +164,11 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes) krb5_boolean krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) { + /* Only match a user-to-user credential if explicitly asked for, since the + * ticket won't work as a regular service ticket. */ + if (! set(KRB5_TC_MATCH_IS_SKEY) && creds->is_skey) + return FALSE; + if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) && srvname_match(context, mcreds, creds)) || standard_fields_match(context, mcreds, creds)) diff --git a/src/tests/t_u2u.py b/src/tests/t_u2u.py index 8905dc209a..1ca6ac87e2 100644 --- a/src/tests/t_u2u.py +++ b/src/tests/t_u2u.py @@ -21,7 +21,15 @@ realm.run([kvno, 'alice'], expected_code=1, realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_msg='kvno = 0') realm.run([kadminl, 'modprinc', '+allow_svr', 'alice']) +# Verify that normal lookups ignore the user-to-user ticket. +realm.run([kvno, 'alice'], expected_msg='kvno = 1') +out = realm.run([klist]) +if out.count('alice@KRBTEST.COM') != 2: + fail('expected two alice tickets after regular kvno') + # Try u2u against the client user. realm.run([kvno, '--u2u', realm.ccache, realm.user_princ]) realm.run([klist]) + +success('user-to-user tests')