From: Isaac Boukris Date: Tue, 15 Oct 2019 17:41:49 +0000 (+0300) Subject: Allow client canonicalization in non-krbtgt AS-REP X-Git-Tag: krb5-1.18-beta1~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F986%2Fhead;p=thirdparty%2Fkrb5.git Allow client canonicalization in non-krbtgt AS-REP If a caller makes an AS-REQ with the canonicalize flag set (or with an enterprise client principal or the anonymous flag), always allow the KDC to change the client principal. Continue to restrict server name changes to requests for TGS principals. Also remove the conditional for setting canon_ok for fully anonymous requests. Both kinds of anonymous requests change the client principal or realm, but neither kind changes the server principal or realm, so this logic is no longer needed now that canon_ok only applies to server name changes. [ghudson@mit.edu: clarified commit message; removed anonymous PKINIT clause] ticket: 8843 (new) --- diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index dcf6663cfa..870df62a1f 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -230,17 +230,12 @@ verify_as_reply(krb5_context context, if (canon_req) { canon_ok = IS_TGS_PRINC(request->server) && IS_TGS_PRINC(as_reply->enc_part2->server); - if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) { - canon_ok = krb5_principal_compare_any_realm(context, - as_reply->client, - krb5_anonymous_principal()); - } } else canon_ok = 0; if ((!canon_ok && - (!krb5_principal_compare(context, as_reply->client, request->client) || - !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) + !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)) + || (!canon_req && !krb5_principal_compare(context, as_reply->client, request->client)) || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) || (request->nonce != as_reply->enc_part2->nonce) /* XXX check for extraneous flags */ diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 7a082a5b9f..cc5d2fc3c8 100755 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -389,6 +389,9 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon']) realm.kinit('canon', password('canon')) realm.kinit('alias', password('canon'), ['-C']) +# Test client name canonicalization in non-krbtgt AS reply +realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw']) + mark('LDAP password history') # Test password history.