From c6c19b1d35c6523cb7ed220c1f2e97e12e039293 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 15 Oct 2019 20:41:49 +0300 Subject: [PATCH] Allow client canonicalization in non-krbtgt AS-REP If a caller makes an AS-REQ with the canonicalize flag set (or with an enterprise client principal or the anonymous flag), always allow the KDC to change the client principal. Continue to restrict server name changes to requests for TGS principals. Also remove the conditional for setting canon_ok for fully anonymous requests. Both kinds of anonymous requests change the client principal or realm, but neither kind changes the server principal or realm, so this logic is no longer needed now that canon_ok only applies to server name changes. [ghudson@mit.edu: clarified commit message; removed anonymous PKINIT clause] ticket: 8843 (new) --- src/lib/krb5/krb/get_in_tkt.c | 9 ++------- src/tests/t_kdb.py | 3 +++ 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index dcf6663cfa..870df62a1f 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -230,17 +230,12 @@ verify_as_reply(krb5_context context, if (canon_req) { canon_ok = IS_TGS_PRINC(request->server) && IS_TGS_PRINC(as_reply->enc_part2->server); - if (!canon_ok && (request->kdc_options & KDC_OPT_REQUEST_ANONYMOUS)) { - canon_ok = krb5_principal_compare_any_realm(context, - as_reply->client, - krb5_anonymous_principal()); - } } else canon_ok = 0; if ((!canon_ok && - (!krb5_principal_compare(context, as_reply->client, request->client) || - !krb5_principal_compare(context, as_reply->enc_part2->server, request->server))) + !krb5_principal_compare(context, as_reply->enc_part2->server, request->server)) + || (!canon_req && !krb5_principal_compare(context, as_reply->client, request->client)) || !krb5_principal_compare(context, as_reply->enc_part2->server, as_reply->ticket->server) || (request->nonce != as_reply->enc_part2->nonce) /* XXX check for extraneous flags */ diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 7a082a5b9f..cc5d2fc3c8 100755 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -389,6 +389,9 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon']) realm.kinit('canon', password('canon')) realm.kinit('alias', password('canon'), ['-C']) +# Test client name canonicalization in non-krbtgt AS reply +realm.kinit('alias', password('canon'), ['-C', '-S', 'kadmin/changepw']) + mark('LDAP password history') # Test password history. -- 2.47.2