From 481fe133b232f44625f446bac38a853a5a87e88e Mon Sep 17 00:00:00 2001 From: Nicolas Williams Date: Wed, 6 Apr 2011 00:52:18 -0500 Subject: [PATCH] Also added preauth-use-strongest-session-key krb5.conf kdc parameter, similar to {as, tgs}-use-strongest-session-key. The latter two control ticket session key enctype selection in the AS and TGS cases, respectively, while the former controls PA-ETYPE-INFO2 enctype selection in the AS case. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Love Hörnquist Åstrand --- kdc/default_config.c | 5 +++++ kdc/kdc.h | 1 + kdc/kerberos5.c | 7 ++++--- lib/krb5/krb5.conf.5 | 4 ++++ 4 files changed, 14 insertions(+), 3 deletions(-) diff --git a/kdc/default_config.c b/kdc/default_config.c index a5ee65ad1..a22e75f61 100644 --- a/kdc/default_config.c +++ b/kdc/default_config.c @@ -123,6 +123,11 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config) c->as_use_strongest_session_key, "kdc", "as-use-strongest-session-key", NULL); + c->preauth_use_strongest_session_key = + krb5_config_get_bool_default(context, NULL, + c->preauth_use_strongest_session_key, + "kdc", + "preauth-use-strongest-session-key", NULL); c->tgs_use_strongest_session_key = krb5_config_get_bool_default(context, NULL, c->tgs_use_strongest_session_key, diff --git a/kdc/kdc.h b/kdc/kdc.h index 121fa5584..497163521 100644 --- a/kdc/kdc.h +++ b/kdc/kdc.h @@ -60,6 +60,7 @@ typedef struct krb5_kdc_configuration { krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ krb5_boolean as_use_strongest_session_key; + krb5_boolean preauth_use_strongest_session_key; krb5_boolean tgs_use_strongest_session_key; krb5_boolean check_ticket_addresses; diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index 0e41c2b92..82a65b62a 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -134,6 +134,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key, krb5_enctype enctype = ETYPE_NULL; Key *key = NULL; + /* We'll want to avoid keys with v4 salted keys in the pre-auth case... */ ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt); if (ret) return ret; @@ -1387,9 +1388,9 @@ _kdc_as_rep(krb5_context context, /* * If there is a client key, send ETYPE_INFO{,2} */ - ret = _kdc_find_etype(context, config->as_use_strongest_session_key, - TRUE, client, b->etype.val, b->etype.len, NULL, - &ckey); + ret = _kdc_find_etype(context, + config->preauth_use_strongest_session_key, TRUE, + client, b->etype.val, b->etype.len, NULL, &ckey); if (ret == 0) { /* diff --git a/lib/krb5/krb5.conf.5 b/lib/krb5/krb5.conf.5 index 16c8a0a13..9c2908e09 100644 --- a/lib/krb5/krb5.conf.5 +++ b/lib/krb5/krb5.conf.5 @@ -411,6 +411,10 @@ client's AS-REQ enctype list, that is also supported by the KDC and the target principal, for the ticket session key. Else it will prefer the first key from the client's AS-REQ enctype list that is also supported by the KDC and the target principal. Defaults to TRUE. +.It Li preauth-use-strongest-session-key = Va BOOL +Like as-use-strongest-session-key, but applies to the session key +enctype selection for PA-ETYPE-INFO2 (i.e., for password-based +pre-authentication). Defaults to TRUE. .It Li tgs-use-strongest-session-key = Va BOOL Like as-use-strongest-session-key, but applies to the session key enctype of tickets issued by the TGS. Defaults to TRUE.