oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Also added preauth-use-strongest-session-key krb5.conf kdc parameter, similar to {as, tgs}-use-strongest-session-key. The latter two control ticket session key enctype selection in the AS and TGS cases, respectively, while the former controls PA-ETYPE-INFO2 enctype selection in the AS case.

Browse Source 
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Nicolas Williams
2011-04-06 00:52:18 -05:00
committed by Love Hörnquist Åstrand
parent a7a8a7e95c
commit 481fe133b2
4 changed files with 14 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kdc/default_config.c
View File

@@ -123,6 +123,11 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->as_use_strongest_session_key, c->as_use_strongest_session_key,
"kdc", "kdc",
"as-use-strongest-session-key", NULL); "as-use-strongest-session-key", NULL);
c->preauth_use_strongest_session_key =
krb5_config_get_bool_default(context, NULL,
c->preauth_use_strongest_session_key,
"kdc",
"preauth-use-strongest-session-key", NULL);
c->tgs_use_strongest_session_key = c->tgs_use_strongest_session_key =
krb5_config_get_bool_default(context, NULL, krb5_config_get_bool_default(context, NULL,
c->tgs_use_strongest_session_key, c->tgs_use_strongest_session_key,

1
kdc/kdc.h
View File

@@ -60,6 +60,7 @@ typedef struct krb5_kdc_configuration {
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */ krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
krb5_boolean as_use_strongest_session_key; krb5_boolean as_use_strongest_session_key;
krb5_boolean preauth_use_strongest_session_key;
krb5_boolean tgs_use_strongest_session_key; krb5_boolean tgs_use_strongest_session_key;
krb5_boolean check_ticket_addresses; krb5_boolean check_ticket_addresses;

7
kdc/kerberos5.c
View File

@@ -134,6 +134,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
krb5_enctype enctype = ETYPE_NULL; krb5_enctype enctype = ETYPE_NULL;
Key *key = NULL; Key *key = NULL;
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt); ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt);
if (ret) if (ret)
return ret; return ret;
@@ -1387,9 +1388,9 @@ _kdc_as_rep(krb5_context context,
/* /*
* If there is a client key, send ETYPE_INFO{,2} * If there is a client key, send ETYPE_INFO{,2}
*/ */
ret = _kdc_find_etype(context, config->as_use_strongest_session_key, ret = _kdc_find_etype(context,
TRUE, client, b->etype.val, b->etype.len, NULL, config->preauth_use_strongest_session_key, TRUE,
&ckey); client, b->etype.val, b->etype.len, NULL, &ckey);
if (ret == 0) { if (ret == 0) {
/* /*

4
lib/krb5/krb5.conf.5
View File

@@ -411,6 +411,10 @@ client's AS-REQ enctype list, that is also supported by the KDC and the
target principal, for the ticket session key. Else it will prefer the target principal, for the ticket session key. Else it will prefer the
first key from the client's AS-REQ enctype list that is also supported first key from the client's AS-REQ enctype list that is also supported
by the KDC and the target principal. Defaults to TRUE. by the KDC and the target principal. Defaults to TRUE.
.It Li preauth-use-strongest-session-key = Va BOOL
Like as-use-strongest-session-key, but applies to the session key
enctype selection for PA-ETYPE-INFO2 (i.e., for password-based
pre-authentication). Defaults to TRUE.
.It Li tgs-use-strongest-session-key = Va BOOL .It Li tgs-use-strongest-session-key = Va BOOL
Like as-use-strongest-session-key, but applies to the session key Like as-use-strongest-session-key, but applies to the session key
enctype of tickets issued by the TGS. Defaults to TRUE. enctype of tickets issued by the TGS. Defaults to TRUE.