Also added preauth-use-strongest-session-key krb5.conf kdc parameter, similar to {as, tgs}-use-strongest-session-key. The latter two control ticket session key enctype selection in the AS and TGS cases, respectively, while the former controls PA-ETYPE-INFO2 enctype selection in the AS case.
Signed-off-by: Love Hörnquist Åstrand <lha@h5l.org>
This commit is contained in:
Nicolas Williams
committed by
Love Hörnquist Åstrand
Love Hörnquist Åstrand
parent
a7a8a7e95c
commit
481fe133b2
@@ -123,6 +123,11 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
|
||||
c->as_use_strongest_session_key,
|
||||
"kdc",
|
||||
"as-use-strongest-session-key", NULL);
|
||||
c->preauth_use_strongest_session_key =
|
||||
krb5_config_get_bool_default(context, NULL,
|
||||
c->preauth_use_strongest_session_key,
|
||||
"kdc",
|
||||
"preauth-use-strongest-session-key", NULL);
|
||||
c->tgs_use_strongest_session_key =
|
||||
krb5_config_get_bool_default(context, NULL,
|
||||
c->tgs_use_strongest_session_key,
|
||||
|
||||
@@ -60,6 +60,7 @@ typedef struct krb5_kdc_configuration {
|
||||
krb5_boolean encode_as_rep_as_tgs_rep; /* bug compatibility */
|
||||
|
||||
krb5_boolean as_use_strongest_session_key;
|
||||
krb5_boolean preauth_use_strongest_session_key;
|
||||
krb5_boolean tgs_use_strongest_session_key;
|
||||
|
||||
krb5_boolean check_ticket_addresses;
|
||||
|
||||
@@ -134,6 +134,7 @@ _kdc_find_etype(krb5_context context, krb5_boolean use_strongest_session_key,
|
||||
krb5_enctype enctype = ETYPE_NULL;
|
||||
Key *key = NULL;
|
||||
|
||||
/* We'll want to avoid keys with v4 salted keys in the pre-auth case... */
|
||||
ret = krb5_get_pw_salt(context, princ->entry.principal, &def_salt);
|
||||
if (ret)
|
||||
return ret;
|
||||
@@ -1387,9 +1388,9 @@ _kdc_as_rep(krb5_context context,
|
||||
/*
|
||||
* If there is a client key, send ETYPE_INFO{,2}
|
||||
*/
|
||||
ret = _kdc_find_etype(context, config->as_use_strongest_session_key,
|
||||
TRUE, client, b->etype.val, b->etype.len, NULL,
|
||||
&ckey);
|
||||
ret = _kdc_find_etype(context,
|
||||
config->preauth_use_strongest_session_key, TRUE,
|
||||
client, b->etype.val, b->etype.len, NULL, &ckey);
|
||||
if (ret == 0) {
|
||||
|
||||
/*
|
||||
|
||||
@@ -411,6 +411,10 @@ client's AS-REQ enctype list, that is also supported by the KDC and the
|
||||
target principal, for the ticket session key. Else it will prefer the
|
||||
first key from the client's AS-REQ enctype list that is also supported
|
||||
by the KDC and the target principal. Defaults to TRUE.
|
||||
.It Li preauth-use-strongest-session-key = Va BOOL
|
||||
Like as-use-strongest-session-key, but applies to the session key
|
||||
enctype selection for PA-ETYPE-INFO2 (i.e., for password-based
|
||||
pre-authentication). Defaults to TRUE.
|
||||
.It Li tgs-use-strongest-session-key = Va BOOL
|
||||
Like as-use-strongest-session-key, but applies to the session key
|
||||
enctype of tickets issued by the TGS. Defaults to TRUE.
|
||||
|
||||
Reference in New Issue
Block a user