oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

This patch adds support for a use-strongest-server-key krb5.conf kdc parameter that controls how the KDC (AS and TGS) selects a long-term key from a service principal's HDB entry. If TRUE the KDC picks the strongest supported key from the service principal's current keyset. If FALSE the KDC picks the first supported key from the service principal's current keyset.

Browse Source 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Nicolas Williams
2011-04-06 01:26:37 -05:00
committed by Love Hörnquist Åstrand
parent 481fe133b2
commit 256cf6ea12
4 changed files with 32 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kdc/default_config.c
View File

@@ -133,6 +133,11 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->tgs_use_strongest_session_key, c->tgs_use_strongest_session_key,
"kdc", "kdc",
"tgs-use-strongest-session-key", NULL); "tgs-use-strongest-session-key", NULL);
c->use_strongest_server_key =
krb5_config_get_bool_default(context, NULL,
c->use_strongest_server_key,
"kdc",
"use-strongest-server-key", NULL);
c->check_ticket_addresses = c->check_ticket_addresses =
krb5_config_get_bool_default(context, NULL, krb5_config_get_bool_default(context, NULL,

1
kdc/kdc.h
View File

@@ -62,6 +62,7 @@ typedef struct krb5_kdc_configuration {
krb5_boolean as_use_strongest_session_key; krb5_boolean as_use_strongest_session_key;
krb5_boolean preauth_use_strongest_session_key; krb5_boolean preauth_use_strongest_session_key;
krb5_boolean tgs_use_strongest_session_key; krb5_boolean tgs_use_strongest_session_key;
krb5_boolean use_strongest_server_key;
krb5_boolean check_ticket_addresses; krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses; krb5_boolean allow_null_ticket_addresses;

31
kdc/misc.c
View File

@@ -134,24 +134,35 @@ _kdc_get_preferred_key(krb5_context context,
krb5_enctype *enctype, krb5_enctype *enctype,
Key **key) Key **key)
{ {
const krb5_enctype *p;
krb5_error_code ret; krb5_error_code ret;
int i; int i;
p = krb5_kerberos_enctypes(context); if (config->use_strongest_server_key) {
const krb5_enctype *p = krb5_kerberos_enctypes(context);
for (i = 0; p[i] != ETYPE_NULL; i++) { for (i = 0; p[i] != ETYPE_NULL; i++) {
if (krb5_enctype_valid(context, p[i]) != 0) if (krb5_enctype_valid(context, p[i]) != 0)
continue; continue;
ret = hdb_enctype2key(context, &h->entry, p[i], key); ret = hdb_enctype2key(context, &h->entry, p[i], key);
if (ret == 0) { if (ret == 0) {
*enctype = p[i]; *enctype = p[i];
return 0; return 0;
}
}
} else {
*key = NULL;
for (i = 0; i < h->entry.keys.len; i++) {
if (krb5_enctype_valid(context, h->entry.keys.val[i].key.keytype)
!= 0) {
*key = &h->entry.keys.val[i];
return 0;
}
} }
} }
krb5_set_error_message(context, EINVAL, krb5_set_error_message(context, EINVAL,
"No valid kerberos key found for %s", name); "No valid kerberos key found for %s", name);
return EINVAL; return EINVAL; /* XXX */
} }

5
lib/krb5/krb5.conf.5
View File

@@ -418,6 +418,11 @@ pre-authentication). Defaults to TRUE.
.It Li tgs-use-strongest-session-key = Va BOOL .It Li tgs-use-strongest-session-key = Va BOOL
Like as-use-strongest-session-key, but applies to the session key Like as-use-strongest-session-key, but applies to the session key
enctype of tickets issued by the TGS. Defaults to TRUE. enctype of tickets issued by the TGS. Defaults to TRUE.
.It Li use-strongest-server-key = Va BOOL
If TRUE then the KDC picks, for the ticket encrypted part's key, the
first supported enctype from the target service principal's hdb entry's
current keyset. Else the KDC picks the first supported enctype from the
target service principal's hdb entry's current keyset. Defaults to TRUE.
.It Li check-ticket-addresses = Va BOOL .It Li check-ticket-addresses = Va BOOL
Verify the addresses in the tickets used in tgs requests. Verify the addresses in the tickets used in tgs requests.
.\" XXX .\" XXX