From 39cbdfcf334c5d19be70a2ce5e8d7b5c392e5d3f Mon Sep 17 00:00:00 2001 From: Tom Yu Date: Thu, 15 Aug 2002 20:48:24 +0000 Subject: [PATCH] * kerberos_v4.c: For consistency, check for both DISALLOW_ALL_TIX and DISALLOW_SVR when looking up services. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@14726 dc483132-0cff-0310-8789-dd5450dbe970 --- src/kdc/ChangeLog | 5 +++++ src/kdc/kerberos_v4.c | 25 ++++++++++++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog index 617beb4cc..d2b3e7ab0 100644 --- a/src/kdc/ChangeLog +++ b/src/kdc/ChangeLog @@ -1,3 +1,8 @@ +2002-08-15 Tom Yu + + * kerberos_v4.c: For consistency, check for both DISALLOW_ALL_TIX + and DISALLOW_SVR when looking up services. + 2002-08-08 Ken Raeburn * network.c (setup_port): Ignore AF_LINK addresses. Log address diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c index cf9fa9fee..a1f271494 100644 --- a/src/kdc/kerberos_v4.c +++ b/src/kdc/kerberos_v4.c @@ -156,7 +156,7 @@ static int set_tgtkey (char *, krb5_kvno); #define V4_KDB_REQUIRES_PREAUTH 0x1 #define V4_KDB_DISALLOW_ALL_TIX 0x2 #define V4_KDB_REQUIRES_PWCHANGE 0x4 - +#define V4_KDB_DISALLOW_SVR 0x8 /* v4 compatibitly mode switch */ #define KDC_V4_NONE 0 /* Don't even respond to packets */ @@ -547,6 +547,9 @@ kerb_get_principal(name, inst, principal, maxn, more, k5key, kvno, if (isflagset(entries.attributes, KRB5_KDB_DISALLOW_ALL_TIX)) { principal->attributes |= V4_KDB_DISALLOW_ALL_TIX; } + if (issrv && isflagset(entries.attributes, KRB5_KDB_DISALLOW_SVR)) { + principal->attributes |= V4_KDB_DISALLOW_SVR; + } if (isflagset(entries.attributes, KRB5_KDB_REQUIRES_PWCHANGE)) { principal->attributes |= V4_KDB_REQUIRES_PWCHANGE; } @@ -1121,6 +1124,13 @@ check_princ(p_name, instance, lifetime, p, k5key, issrv, k5life) return KERB_ERR_NAME_EXP; } + if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) { + lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: " + "\"%s\" \"%s\"", p_name, instance); + /* Not sure of a better error to return */ + return KERB_ERR_NAME_EXP; + } + /* * Does the principal require preauthentication? */ @@ -1181,6 +1191,19 @@ set_tgtkey(r, kvno) if (n == 0) return (KFAILURE); + if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) { + lt = klog(L_ERR_SEXP, + "V5 DISALLOW_ALL_TIX set: \"krbtgt\" \"%s\"", r); + krb5_free_keyblock_contents(kdc_context, &k5key); + return KFAILURE; + } + + if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) { + lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: \"krbtgt\" \"%s\"", r); + krb5_free_keyblock_contents(kdc_context, &k5key); + return KFAILURE; + } + if (!K4KDC_ENCTYPE_OK(k5key.enctype)) { krb_set_key_krb5(kdc_context, &k5key); strncpy(lastrealm, r, sizeof(lastrealm) - 1); -- 2.26.2