s4:heimdal Add hooks to check with the DB before we allow s4u2self
This allows us to resolve multiple forms of a name, allowing for example machine$@REALM to get an S4U2Self ticket for host/machine@REALM. Andrew Bartlett Signed-off-by: Love Hornquist Astrand <lha@h5l.org>
This commit is contained in:
Andrew Bartlett
committed by
Love Hornquist Astrand
Love Hornquist Astrand
parent
77a6204452
commit
0e128912af
@@ -494,7 +494,7 @@ check_tgs_flags(krb5_context context,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
*
|
* Determine if constrained delegation is allowed from this client to this server
|
||||||
*/
|
*/
|
||||||
|
|
||||||
static krb5_error_code
|
static krb5_error_code
|
||||||
@@ -536,6 +536,36 @@ check_constrained_delegation(krb5_context context,
|
|||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Determine if s4u2self is allowed from this client to this server
|
||||||
|
*
|
||||||
|
* For example, regardless of the principal being impersonated, if the
|
||||||
|
* 'client' and 'server' are the same, then it's safe.
|
||||||
|
*/
|
||||||
|
|
||||||
|
static krb5_error_code
|
||||||
|
check_s4u2self(krb5_context context,
|
||||||
|
krb5_kdc_configuration *config,
|
||||||
|
HDB *clientdb,
|
||||||
|
hdb_entry_ex *client,
|
||||||
|
krb5_const_principal server)
|
||||||
|
{
|
||||||
|
krb5_error_code ret;
|
||||||
|
|
||||||
|
/* if client does a s4u2self to itself, that ok */
|
||||||
|
if (krb5_principal_compare(context, client->entry.principal, server) == TRUE)
|
||||||
|
return 0;
|
||||||
|
|
||||||
|
if (clientdb->hdb_check_s4u2self) {
|
||||||
|
ret = clientdb->hdb_check_s4u2self(context, clientdb, client, server);
|
||||||
|
if (ret == 0)
|
||||||
|
return 0;
|
||||||
|
} else {
|
||||||
|
ret = KRB5KDC_ERR_BADOPTION;
|
||||||
|
}
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
@@ -1793,13 +1823,13 @@ server_lookup:
|
|||||||
* Check that service doing the impersonating is
|
* Check that service doing the impersonating is
|
||||||
* requesting a ticket to it-self.
|
* requesting a ticket to it-self.
|
||||||
*/
|
*/
|
||||||
if (krb5_principal_compare(context, cp, sp) != TRUE) {
|
ret = check_s4u2self(context, config, clientdb, client, sp);
|
||||||
|
if (ret) {
|
||||||
kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
|
kdc_log(context, config, 0, "S4U2Self: %s is not allowed "
|
||||||
"to impersonate some other user "
|
"to impersonate to service "
|
||||||
"(tried for user %s to service %s)",
|
"(tried for user %s to service %s)",
|
||||||
cpn, selfcpn, spn);
|
cpn, selfcpn, spn);
|
||||||
free(selfcpn);
|
free(selfcpn);
|
||||||
ret = KRB5KDC_ERR_BADOPTION; /* ? */
|
|
||||||
goto out;
|
goto out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -235,9 +235,14 @@ typedef struct HDB{
|
|||||||
* Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
|
* Check if this name is an alias for the supplied client for PKINIT userPrinicpalName logins
|
||||||
*/
|
*/
|
||||||
krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
|
krb5_error_code (*hdb_check_pkinit_ms_upn_match)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Check if s4u2self is allowed from this client to this server
|
||||||
|
*/
|
||||||
|
krb5_error_code (*hdb_check_s4u2self)(krb5_context, struct HDB *, hdb_entry_ex *, krb5_const_principal);
|
||||||
}HDB;
|
}HDB;
|
||||||
|
|
||||||
#define HDB_INTERFACE_VERSION 6
|
#define HDB_INTERFACE_VERSION 7
|
||||||
|
|
||||||
struct hdb_so_method {
|
struct hdb_so_method {
|
||||||
int version;
|
int version;
|
||||||
|
|||||||
Reference in New Issue
Block a user