oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

hdb: add no-auth-data-reqd flag to HDB entry

Browse Source 
Add a new flag, no-auth-data-reqd, to the HDB entry which indicates that a PAC
should not be included on issued service tickets.
This commit is contained in:
Luke Howard
2021-12-23 13:24:10 +11:00
parent 317df4dbd4
commit 0165633964
7 changed files with 26 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
kadmin/kadmin.1
View File

@@ -423,7 +423,8 @@ Possible attributes are:
.Li disallow-renewable ,
.Li disallow-tgt-based ,
.Li disallow-forwardable ,
.Li disallow-postdated
.Li disallow-postdated ,
.Li no-auth-data-reqd
.Pp
Attributes may be negated with a "-", e.g.,
.Pp

1
kadmin/util.c
View File

@@ -69,6 +69,7 @@ struct units kdb_attrs[] = {
{ "disallow-tgt-based", KRB5_KDB_DISALLOW_TGT_BASED },
{ "disallow-forwardable", KRB5_KDB_DISALLOW_FORWARDABLE },
{ "disallow-postdated", KRB5_KDB_DISALLOW_POSTDATED },
{ "no-auth-data-reqd", KRB5_KDB_NO_AUTH_DATA_REQUIRED },
{ NULL, 0 }
};

1
lib/hdb/hdb.asn1
View File

@@ -54,6 +54,7 @@ HDBFlags ::= BIT STRING {
virtual-keys(20), -- entry stored; keys mostly derived
virtual(21), -- entry not stored; keys always derived
synthetic(22), -- entry not stored; for PKINIT
no-auth-data-reqd(23), -- omit PAC from service tickets
force-canonicalize(30), -- force the KDC to return the canonical
-- principal irrespective of the setting

1
lib/kadm5/admin.h
View File

@@ -77,6 +77,7 @@
#define KRB5_KDB_VIRTUAL_KEYS 0x00200000 /* MIT doesn't have this */
#define KRB5_KDB_VIRTUAL 0x00400000 /* MIT doesn't have this */
#define KRB5_KDB_DISALLOW_CLIENT 0x00800000 /* MIT doesn't have this */
#define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x01000000 /* 0x00400000 in MIT */
/*
* MIT has:

1
lib/kadm5/ent_setup.c
View File

@@ -63,6 +63,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
flags->materialize = !!(attr & KRB5_KDB_MATERIALIZE);
flags->virtual_keys = !!(attr & KRB5_KDB_VIRTUAL_KEYS);
flags->virtual = !!(attr & KRB5_KDB_VIRTUAL);
flags->no_auth_data_reqd = !!(attr & KRB5_KDB_NO_AUTH_DATA_REQUIRED);
}
/*

1
lib/kadm5/get_s.c
View File

@@ -185,6 +185,7 @@ kadm5_s_get_principal(void *server_handle,
out->attributes |= ent.entry.flags.allow_digest ? KRB5_KDB_ALLOW_DIGEST : 0;
out->attributes |= ent.entry.flags.virtual_keys ? KRB5_KDB_VIRTUAL_KEYS : 0;
out->attributes |= ent.entry.flags.virtual ? KRB5_KDB_VIRTUAL : 0;
out->attributes |= ent.entry.flags.no_auth_data_reqd ? KRB5_KDB_NO_AUTH_DATA_REQUIRED : 0;
}
if(mask & KADM5_MAX_LIFE) {
if(ent.entry.max_life)

19
tests/kdc/check-kdc.in
View File

@@ -77,6 +77,7 @@ kpasswdd="${kpasswdd} --addresses=localhost -p $pwport"
server=host/datan.test.h5l.se
server2=host/computer.example.com
server3=host/refer-me-out.test.h5l.se
server4=host/no-auth-data-reqd.test.h5l.se
serverip=host/10.11.12.13
serveripname=host/ip.test.h5l.org
serveripname2=host/10.11.12.14
@@ -246,6 +247,10 @@ ${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
${kadmin} add -p nopac --use-defaults ${server4}@${R2} || exit 1
${kadmin} modify --attributes=+no-auth-data-reqd ${server4}@${R2} || exit 1
${kadmin} ext -k ${keytab} ${server4}@${R2} || exit 1
${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
@@ -525,6 +530,20 @@ for a in $enctypes; do
done
${kdestroy}
echo "Getting client initial tickets with PAC"; > messages.log
${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }
for a in $enctypes; do
echo "Getting tickets for PAC-less service principal ($a)"; > messages.log
${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; }
${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \
{ ec=1 ; eval "${testfailed}"; }
${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \
{ ec=1 ; eval "${testfailed}"; }
${kdestroy} --credential=${server4}@${R2}
done
${kdestroy}
echo "Getting client authenticated anonymous initial tickets"; > messages.log
${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
{ ec=1 ; eval "${testfailed}"; }