This patch adds support for a use-strongest-server-key krb5.conf kdc parameter that controls how the KDC (AS and TGS) selects a long-term key from a service principal's HDB entry. If TRUE the KDC picks the strongest supported key from the service principal's current keyset. If FALSE the KDC picks the first supported key from the service principal's current keyset.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Nicolas Williams
committed by
Love Hörnquist Åstrand
Love Hörnquist Åstrand
parent
481fe133b2
commit
256cf6ea12
31
kdc/misc.c
31
kdc/misc.c
@@ -134,24 +134,35 @@ _kdc_get_preferred_key(krb5_context context,
|
||||
krb5_enctype *enctype,
|
||||
Key **key)
|
||||
{
|
||||
const krb5_enctype *p;
|
||||
krb5_error_code ret;
|
||||
int i;
|
||||
|
||||
p = krb5_kerberos_enctypes(context);
|
||||
if (config->use_strongest_server_key) {
|
||||
const krb5_enctype *p = krb5_kerberos_enctypes(context);
|
||||
|
||||
for (i = 0; p[i] != ETYPE_NULL; i++) {
|
||||
if (krb5_enctype_valid(context, p[i]) != 0)
|
||||
continue;
|
||||
ret = hdb_enctype2key(context, &h->entry, p[i], key);
|
||||
if (ret == 0) {
|
||||
*enctype = p[i];
|
||||
return 0;
|
||||
for (i = 0; p[i] != ETYPE_NULL; i++) {
|
||||
if (krb5_enctype_valid(context, p[i]) != 0)
|
||||
continue;
|
||||
ret = hdb_enctype2key(context, &h->entry, p[i], key);
|
||||
if (ret == 0) {
|
||||
*enctype = p[i];
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
} else {
|
||||
*key = NULL;
|
||||
|
||||
for (i = 0; i < h->entry.keys.len; i++) {
|
||||
if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype)
|
||||
!= 0) {
|
||||
*key = &h->entry.keys.val[i];
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
krb5_set_error_message(context, EINVAL,
|
||||
"No valid kerberos key found for %s", name);
|
||||
return EINVAL;
|
||||
return EINVAL; /* XXX */
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user