+2001-09-25 Ken Raeburn <raeburn@mit.edu>
+
+ * admin.texinfo (realms (kdc.conf)): Add description of
+ reject_bad_transit realm option.
+
2001-06-26 Ezra Peisach <epeisach@mit.edu>
* user-guide.texinfo, install.texinfo: Cleanup makeinfo warning of
of principals for this realm. You should set this tag to
@samp{des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4}.
+@itemx reject_bad_transit
+A boolean value (@code{true}, @code{false}). If set to @code{true}, the
+KDC will check the list of transited realms for cross-realm tickets
+against the transit path computed from the realm names and the
+@code{capaths} section of its @code{krb5.conf} file; if the path in the
+ticket to be issued contains any realms not in the computed path, the
+ticket will not be issued, and an error will be returned to the client
+instead. If this value is set to @code{false}, such tickets will be
+issued anyways, and it will be left up to the application server to
+validate the realm transit path.
+
+If the @code{disable-transited-check} flag is set in the incoming
+request, this check is not performed at all. Having the
+@code{reject_bad_transit} option will cause such ticket requests to be
+rejected always.
+
+This transit path checking and config file option currently apply only
+to TGS requests.
+
+Earlier versions of the MIT release (before 1.2.3) had bugs in the
+application server support such that the server-side checks may not be
+performed correctly. We recommend turning this option on, unless you
+know that all application servers in this realm have been updated to
+fixed versions of the software, and for whatever reason, you don't want
+the KDC to do the validation.
+
+This is a per-realm option so that multiple-realm KDCs may control it
+separately for each realm, in case (for example) one realm has had the
+software on its application servers updated but another has not.
+
+This option defaults to @code{true}.
+
@end table
@node Sample kdc.conf File, , realms (kdc.conf), kdc.conf
-Copyright @copyright{} 1985-2000 by the Massachusetts Institute of Technology.
+Copyright @copyright{} 1985-2001 by the Massachusetts Institute of Technology.
@quotation
Export of software employing encryption from the United States of
TKT_FLG_OK_AS_DELEGATE, TKT_FLG_ANONYMOUS): New macros.
(KDC_OPT_REQUEST_ANONYMOUS, KDC_OPT_DISABLE_TRANSITED_CHECK):
Likewise.
+ (krb5_check_transited_list): Pointed-to krb5_data structures are
+ now all const.
2001-09-05 Ken Raeburn <raeburn@mit.edu>
/*
* include/krb5.h
*
- * Copyright 1989,1990,1995 by the Massachusetts Institute of Technology.
+ * Copyright 1989,1990,1995,2001 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
+2001-09-25 Ken Raeburn <raeburn@mit.edu>
+
+ * adm.h (struct __krb5_realm_params): Added fields
+ realm_reject_bad_transit, realm_reject_bad_transit_valid; deleted
+ field realm_filler.
+
2001-07-25 Ezra Peisach <epeisach@mit.edu>
* kdb.h: For structs krb5_tl_data (tl_data_length), krb5_key_data
/*
* include/krb5/adm.h
*
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
krb5_timestamp realm_expiration;
krb5_flags realm_flags;
krb5_key_salt_tuple *realm_keysalts;
+ unsigned int realm_reject_bad_transit:1;
unsigned int realm_kadmind_port_valid:1;
unsigned int realm_enctype_valid:1;
unsigned int realm_max_life_valid:1;
unsigned int realm_max_rlife_valid:1;
unsigned int realm_expiration_valid:1;
unsigned int realm_flags_valid:1;
- unsigned int realm_filler:7;
+ unsigned int realm_reject_bad_transit_valid:1;
krb5_int32 realm_num_keysalts;
} krb5_realm_params;
#endif /* KRB5_ADM_H__ */
+2001-09-25 Ken Raeburn <raeburn@mit.edu>
+
+ * do_tgs_req.c (process_tgs_req): If disable-transited-check
+ option isn't set, try to verify transit path. If
+ reject_bad_transit flag is set and transit path isn't verified,
+ reject the request. Use a temporary variable to simplify
+ references to the second ticket.
+ * extern.h (struct __kdc_realm_data): Add new field
+ realm_reject_bad_transit.
+ (find_realm_data): Declare.
+ (reject_bad_transit): New macro.
+ * main.c (find_realm_data): Delete declaration.
+ (init_realm): Copy reject-bad-transit value or use default.
+ * rtest.c (find_realm_data): Define dummy version.
+
2001-09-24 Mitchell Berger <mitchb@mit.edu>
* krb5kdc.M: Document the -n option. Thanks to Dennis Davis
/*
* kdc/do_tgs_req.c
*
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2001 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
}
newtransited = 1;
}
+ if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
+ errcode = krb5_check_transited_list (kdc_context,
+ &enc_tkt_reply.transited.tr_contents,
+ krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+ krb5_princ_realm (kdc_context, request->server));
+ if (errcode == 0) {
+ setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+ } else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+ krb5_klog_syslog (LOG_INFO,
+ "bad realm transit path from '%s' to '%s' via '%.*s'",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ enc_tkt_transited.tr_contents.length,
+ enc_tkt_transited.tr_contents.data);
+ else
+ krb5_klog_syslog (LOG_ERR,
+ "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ enc_tkt_transited.tr_contents.length,
+ enc_tkt_transited.tr_contents.data,
+ error_message (errcode));
+ } else
+ krb5_klog_syslog (LOG_ERR, "not checking transit path");
+ if (reject_bad_transit
+ && !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
+ errcode = KRB5KDC_ERR_POLICY;
+ status = "BAD_TRANSIT";
+ goto cleanup;
+ }
ticket_reply.enc_part2 = &enc_tkt_reply;
* Make sure the client for the second ticket matches
* requested server.
*/
- if (!krb5_principal_compare(kdc_context, request->server,
- request->second_ticket[st_idx]->enc_part2->client)) {
- if ((errcode = krb5_unparse_name(kdc_context,
- request->second_ticket[st_idx]->enc_part2->client,
- &tmp)))
+ krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
+ krb5_principal client2 = t2enc->client;
+ if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+ if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
tmp = 0;
- krb5_klog_syslog(LOG_INFO, "TGS_REQ %s(%d): 2ND_TKT_MISMATCH: authtime %d, %s for %s, 2nd tkt client %s",
- fromstring, portnum, authtime,
- cname ? cname : "<unknown client>",
- sname ? sname : "<unknown server>",
- tmp ? tmp : "<unknown>");
+ krb5_klog_syslog(LOG_INFO,
+ "TGS_REQ %s(%d): 2ND_TKT_MISMATCH: "
+ "authtime %d, %s for %s, 2nd tkt client %s",
+ fromstring, portnum, authtime,
+ cname ? cname : "<unknown client>",
+ sname ? sname : "<unknown server>",
+ tmp ? tmp : "<unknown>");
errcode = KRB5KDC_ERR_SERVER_NOMATCH;
goto cleanup;
}
ticket_reply.enc_part.kvno = 0;
- ticket_reply.enc_part.enctype =
- request->second_ticket[st_idx]->enc_part2->session->enctype;
- if ((errcode = krb5_encrypt_tkt_part(kdc_context,
- request->second_ticket[st_idx]->enc_part2->session,
- &ticket_reply))) {
+ ticket_reply.enc_part.enctype = t2enc->session->enctype;
+ if ((errcode = krb5_encrypt_tkt_part(kdc_context, t2enc->session,
+ &ticket_reply))) {
status = "2ND_TKT_ENCRYPT";
goto cleanup;
}
/*
* kdc/extern.h
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
krb5_deltat realm_maxrlife; /* Maximum renewable life for realm */
void *realm_kstypes; /* Key/Salts supported for realm */
krb5_int32 realm_nkstypes; /* Number of key/salts */
+ krb5_boolean realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */
} kdc_realm_t;
extern kdc_realm_t **kdc_realmlist;
extern int kdc_numrealms;
extern kdc_realm_t *kdc_active_realm;
+kdc_realm_t *find_realm_data (char *, krb5_ui_4);
+
/*
* Replace previously used global variables with the active (e.g. request's)
* realm data. This allows us to support multiple realms with minimal logic
#define tgs_server kdc_active_realm->realm_tgsprinc
#define dbm_db_name kdc_active_realm->realm_dbname
#define primary_port kdc_active_realm->realm_pport
+#define reject_bad_transit kdc_active_realm->realm_reject_bad_transit
/* various externs for KDC */
extern krb5_data empty_string; /* an empty string */
/*
* kdc/main.c
*
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001 by the Massachusetts Institute of Technology.
*
* Export of this software from the United States of America may
* require a specific license from the United States Government.
extern int daemon(int, int);
#endif
-kdc_realm_t *find_realm_data (char *, krb5_ui_4);
-
void usage (char *);
krb5_sigtype request_exit (int);
else
rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN;
+ /* Handle reject-bad-transit flag */
+ if (rparams && rparams->realm_reject_bad_transit_valid)
+ rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit;
+ else
+ rdp->realm_reject_bad_transit = 1;
+
/* Handle ticket maximum life */
rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ?
rparams->realm_max_life : KRB5_KDB_MAX_LIFE;
}
void krb5_klog_syslog() {}
+kdc_realm_t *find_realm_data (char *rname, krb5_ui_4 rsize) { return 0; }
+2001-09-25 Ken Raeburn <raeburn@mit.edu>
+
+ * admin.h (krb5_realm_params): Add fields realm_reject_bad_transit
+ and realm_reject_bad_transit_valid; delete field realm_filler.
+ * alt_prof.c (string_to_boolean, krb5_aprof_get_boolean): New
+ functions.
+ (krb5_read_realm_params): Parse "reject_bad_transit" value as
+ boolean and save it.
+
2001-07-25 Ezra Peisach <epeisach@mit.edu>
* kadm_rpc_xdr.c: Add xdr_krb5_ui_2.
+/*
+ * lib/kadm5/admin.h
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ *
+ */
/*
* Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
*
krb5_timestamp realm_expiration;
krb5_flags realm_flags;
krb5_key_salt_tuple *realm_keysalts;
+ unsigned int realm_reject_bad_transit:1;
unsigned int realm_kadmind_port_valid:1;
unsigned int realm_enctype_valid:1;
unsigned int realm_max_life_valid:1;
unsigned int realm_max_rlife_valid:1;
unsigned int realm_expiration_valid:1;
unsigned int realm_flags_valid:1;
- unsigned int realm_filler:7;
+ unsigned int realm_reject_bad_transit_valid:1;
krb5_int32 realm_num_keysalts;
} krb5_realm_params;
/*
* lib/kadm/alt_prof.c
*
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001 by the Massachusetts Institute of Technology.
* All Rights Reserved.
*
* Export of this software from the United States of America may
retdata));
}
+/*
+ * krb5_aprof_get_boolean()
+ *
+ * Parameters:
+ * acontext - opaque context for alternate profile
+ * hierarchy - hierarchy of value to retrieve
+ * retdata - Returned data value
+ * Returns:
+ * error codes
+ */
+
+static krb5_error_code
+string_to_boolean (const char *string, krb5_boolean *out)
+{
+ static const char *const yes[] = { "y", "yes", "true", "t", "1", "on" };
+ static const char *const no[] = { "n", "no", "false", "f", "nil", "0", "off" };
+ int i;
+
+ for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++)
+ if (!strcasecmp(string, yes[i])) {
+ *out = 1;
+ return 0;
+ }
+ for (i = 0; i < sizeof(no)/sizeof(no[0]); i++)
+ if (!strcasecmp(string, no[i])) {
+ *out = 0;
+ return 0;
+ }
+ return PROF_BAD_BOOLEAN;
+}
+
+krb5_error_code
+krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy,
+ int uselast, int *retdata)
+{
+ krb5_error_code kret;
+ char **values;
+ char *valp;
+ int idx;
+ krb5_boolean val;
+
+ kret = krb5_aprof_getvals (acontext, hierarchy, &values);
+ if (kret)
+ return kret;
+ idx = 0;
+ if (uselast) {
+ while (values[idx])
+ idx++;
+ idx--;
+ }
+ valp = values[idx];
+ kret = string_to_boolean (valp, &val);
+ if (kret)
+ return kret;
+ *retdata = val;
+ return 0;
+}
+
/*
* krb5_aprof_get_deltat() - Get a delta time value from the alternate
* profile.
const char *hierarchy[4];
char *svalue;
krb5_int32 ivalue;
+ krb5_boolean bvalue;
krb5_deltat dtvalue;
krb5_error_code kret;
rparams->realm_expiration_valid = 1;
krb5_xfree(svalue);
}
-
+
+ hierarchy[2] = "reject_bad_transit";
+ if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
+ rparams->realm_reject_bad_transit = bvalue;
+ rparams->realm_reject_bad_transit_valid = 1;
+ }
+
/* Get the value for the default principal flags */
hierarchy[2] = "default_principal_flags";
if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
projects / krb5.git / commitdiff