From 2a38fa17b5bc6f7237ffa06d63676a47e36a2bd5 Mon Sep 17 00:00:00 2001 From: Nicolas Williams <nico@twosigma.com> Date: Sun, 4 Jun 2023 22:55:54 -0500 Subject: [PATCH] kdc: Add global disable_pac config param --- kdc/default_config.c | 9 +++++++++ kdc/kdc_locl.h | 1 + kdc/misc.c | 4 ++++ lib/krb5/krb5.conf.5 | 5 +++++ 4 files changed, 19 insertions(+) diff --git a/kdc/default_config.c b/kdc/default_config.c index 83c73504c..6bec10323 100644 --- a/kdc/default_config.c +++ b/kdc/default_config.c @@ -101,6 +101,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->strict_nametypes = FALSE; c->trpolicy = TRPOLICY_ALWAYS_CHECK; c->require_pac = FALSE; + c->disable_pac = FALSE; c->enable_fast = TRUE; c->enable_armored_pa_enc_timestamp = TRUE; c->enable_unarmored_pa_enc_timestamp = TRUE; @@ -263,6 +264,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) "require_pac", NULL); + c->disable_pac = + krb5_config_get_bool_default(context, + NULL, + c->disable_pac, + "kdc", + "disable_pac", + NULL); + c->enable_fast = krb5_config_get_bool_default(context, NULL, diff --git a/kdc/kdc_locl.h b/kdc/kdc_locl.h index 123b7e560..caee019af 100644 --- a/kdc/kdc_locl.h +++ b/kdc/kdc_locl.h @@ -100,6 +100,7 @@ struct krb5_kdc_configuration { enum krb5_kdc_trpolicy trpolicy; unsigned int require_pac : 1; + unsigned int disable_pac : 1; unsigned int enable_fast : 1; unsigned int enable_armored_pa_enc_timestamp : 1; unsigned int enable_unarmored_pa_enc_timestamp : 1; diff --git a/kdc/misc.c b/kdc/misc.c index 1c780df9f..34d93908a 100644 --- a/kdc/misc.c +++ b/kdc/misc.c @@ -348,6 +348,10 @@ _kdc_include_pac_p(astgs_request_t r) } if (r->server->flags.no_auth_data_reqd) return FALSE; + if (r->server->flags.auth_data_reqd) + return TRUE; + if (r->config->disable_pac) + return FALSE; return !!(r->pac_attributes & (KRB5_PAC_WAS_REQUESTED | KRB5_PAC_WAS_GIVEN_IMPLICITLY)); } diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 06d069d25..41b2d3b40 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -828,6 +828,11 @@ addresses in the tickets. .It Li allow-null-ticket-addresses = Va BOOL Allow address-less tickets. .\" XXX +.It Li disable_pac = Va BOOL +Do not include a PAC in service tickets. +However, if a service has the +.Li auth-data-reqd +attribute then the KDC will include a PAC anyways. .It Li enable_fast = Va BOOL Enable RFC 6113 FAST support, this is enabled by default. .It Li enable_armored_pa_enc_timestamp = Va BOOL