From 256cf6ea12d9e844591b6c4af63b161169f652c3 Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 6 Apr 2011 01:26:37 -0500 Subject: [PATCH] This patch adds support for a use-strongest-server-key krb5.conf kdc parameter that controls how the KDC (AS and TGS) selects a long-term key from a service principal's HDB entry. If TRUE the KDC picks the strongest supported key from the service principal's current keyset. If FALSE the KDC picks the first supported key from the service principal's current keyset. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Love Hörnquist Åstrand --- kdc/default_config.c | 5 +++++ kdc/kdc.h | 1 + kdc/misc.c | 31 +++++++++++++++++++++---------- lib/krb5/krb5.conf.5 | 5 +++++ 4 files changed, 32 insertions(+), 10 deletions(-) diff --git a/kdc/default_config.c b/kdc/default_config.c index a22e75f61..669df4ee7 100644 --- a/kdc/default_config.c +++ b/kdc/default_config.c @@ -133,6 +133,11 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->tgs_use_strongest_session_key, "kdc", "tgs-use-strongest-session-key", NULL); + c->use_strongest_server_key = + krb5_config_get_bool_default(context, NULL, + c->use_strongest_server_key, + "kdc", + "use-strongest-server-key", NULL); c->check_ticket_addresses = krb5_config_get_bool_default(context, NULL, diff --git a/kdc/kdc.h b/kdc/kdc.h index 497163521..9d52fd4c2 100644 --- a/kdc/kdc.h +++ b/kdc/kdc.h @@ -62,6 +62,7 @@ typedef struct krb5_kdc_configuration { krb5_boolean as_use_strongest_session_key; krb5_boolean preauth_use_strongest_session_key; krb5_boolean tgs_use_strongest_session_key; + krb5_boolean use_strongest_server_key; krb5_boolean check_ticket_addresses; krb5_boolean allow_null_ticket_addresses; diff --git a/kdc/misc.c b/kdc/misc.c index 458878504..fb67d5e6f 100644 --- a/kdc/misc.c +++ b/kdc/misc.c @@ -134,24 +134,35 @@ _kdc_get_preferred_key(krb5_context context, krb5_enctype *enctype, Key **key) { - const krb5_enctype *p; krb5_error_code ret; int i; - p = krb5_kerberos_enctypes(context); + if (config->use_strongest_server_key) { + const krb5_enctype *p = krb5_kerberos_enctypes(context); - for (i = 0; p[i] != ETYPE_NULL; i++) { - if (krb5_enctype_valid(context, p[i]) != 0) - continue; - ret = hdb_enctype2key(context, &h->entry, p[i], key); - if (ret == 0) { - *enctype = p[i]; - return 0; + for (i = 0; p[i] != ETYPE_NULL; i++) { + if (krb5_enctype_valid(context, p[i]) != 0) + continue; + ret = hdb_enctype2key(context, &h->entry, p[i], key); + if (ret == 0) { + *enctype = p[i]; + return 0; + } + } + } else { + *key = NULL; + + for (i = 0; i < h->entry.keys.len; i++) { + if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype) + != 0) { + *key = &h->entry.keys.val[i]; + return 0; + } } } krb5_set_error_message(context, EINVAL, "No valid kerberos key found for %s", name); - return EINVAL; + return EINVAL; /* XXX */ } diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 9c2908e09..17241b31a 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -418,6 +418,11 @@ pre-authentication). Defaults to TRUE. .It Li tgs-use-strongest-session-key = Va BOOL Like as-use-strongest-session-key, but applies to the session key enctype of tickets issued by the TGS. Defaults to TRUE. +.It Li use-strongest-server-key = Va BOOL +If TRUE then the KDC picks, for the ticket encrypted part's key, the +first supported enctype from the target service principal's hdb entry's +current keyset. Else the KDC picks the first supported enctype from the +target service principal's hdb entry's current keyset. Defaults to TRUE. .It Li check-ticket-addresses = Va BOOL Verify the addresses in the tickets used in tgs requests. .\" XXX