Implement forwarding of leaf TGTs to selected realms.
Refactor and enhance TGT forwarding to allow forwarding of leaf (destination) TGTs for selected destination realms. Enhance kinit(1) to renew non-origin realm tickets Document delegate-destination-tgt Use the newly implemented _krb5_mk_1cred().
This commit is contained in:
		 Viktor Dukhovni
					Viktor Dukhovni
				
			
				
					committed by
					
						 Nico Williams
						Nico Williams
					
				
			
			
				
	
			
			
			 Nico Williams
						Nico Williams
					
				
			
						parent
						
							d81118cc1f
						
					
				
				
					commit
					5bbe7c8dc6
				
			| @@ -115,10 +115,18 @@ like | |||||||
| .It Fl p , Fl Fl proxiable | .It Fl p , Fl Fl proxiable | ||||||
| Request tickets with the proxiable flag set. | Request tickets with the proxiable flag set. | ||||||
| .It Fl R , Fl Fl renew | .It Fl R , Fl Fl renew | ||||||
| Try to renew ticket. | Try to renew a ticket. | ||||||
| The ticket must have the | The ticket must have the | ||||||
| .Sq renewable | .Sq renewable | ||||||
| flag set, and must not be expired. | flag set, and must not be expired. If the | ||||||
|  | .Oo Fl S Ar principal Oc | ||||||
|  | option is specified, the ticket for the indicated service is renewed. | ||||||
|  | If no service is explicitly specified, an attempt is made to renew the | ||||||
|  | TGT for the client realm.  If no TGT for the client realm is found in the | ||||||
|  | credential cache, an attempt is made to renew the TGT for the defaualt | ||||||
|  | realm (if that is found in the credential cache), or else the first | ||||||
|  | TGT found.  This makes it easier for users to renew forwarded tickets | ||||||
|  | that are not issued by the origin realm. | ||||||
| .It Fl Fl renewable | .It Fl Fl renewable | ||||||
| The same as | The same as | ||||||
| .Fl Fl renewable-life , | .Fl Fl renewable-life , | ||||||
|   | |||||||
							
								
								
									
										122
									
								
								kuser/kinit.c
									
									
									
									
									
								
							
							
						
						
									
										122
									
								
								kuser/kinit.c
									
									
									
									
									
								
							| @@ -61,6 +61,7 @@ int anonymous_flag	= 0; | |||||||
| char *lifetime 		= NULL; | char *lifetime 		= NULL; | ||||||
| char *renew_life	= NULL; | char *renew_life	= NULL; | ||||||
| char *server_str	= NULL; | char *server_str	= NULL; | ||||||
|  | static krb5_principal tgs_service; | ||||||
| char *cred_cache	= NULL; | char *cred_cache	= NULL; | ||||||
| char *start_str		= NULL; | char *start_str		= NULL; | ||||||
| static int switch_cache_flags = 1; | static int switch_cache_flags = 1; | ||||||
| @@ -217,19 +218,125 @@ usage(int ret) | |||||||
|     exit(ret); |     exit(ret); | ||||||
| } | } | ||||||
|  |  | ||||||
|  | static krb5_error_code | ||||||
|  | tgs_principal(krb5_context context, | ||||||
|  |           krb5_ccache cache, | ||||||
|  |           krb5_principal client, | ||||||
|  | 	  krb5_const_realm tgs_realm, | ||||||
|  | 	  krb5_principal *out_princ) | ||||||
|  | { | ||||||
|  |     krb5_error_code ret; | ||||||
|  |     krb5_principal tgs_princ; | ||||||
|  |     krb5_creds creds; | ||||||
|  |     krb5_creds *tick; | ||||||
|  |     krb5_flags options; | ||||||
|  |  | ||||||
|  |     ret = krb5_make_principal(context, &tgs_princ, tgs_realm, | ||||||
|  | 			      KRB5_TGS_NAME, tgs_realm, NULL); | ||||||
|  |     if (ret) | ||||||
|  | 	return ret; | ||||||
|  |  | ||||||
|  |     /* | ||||||
|  |      * Don't fail-over to a different realm just because a TGT expired | ||||||
|  |      */ | ||||||
|  |     options = KRB5_GC_CACHED | KRB5_GC_EXPIRED_OK; | ||||||
|  |  | ||||||
|  |     memset(&creds, 0, sizeof(creds)); | ||||||
|  |     creds.client = client; | ||||||
|  |     creds.server = tgs_princ; | ||||||
|  |     ret = krb5_get_credentials(context, options, cache, &creds, &tick); | ||||||
|  |     if (ret == 0) { | ||||||
|  |         krb5_free_creds(context, tick); | ||||||
|  | 	*out_princ = tgs_princ; | ||||||
|  |     } else { | ||||||
|  | 	krb5_free_principal(context, tgs_princ); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     return ret; | ||||||
|  | } | ||||||
|  |  | ||||||
|  |  | ||||||
|  | /* | ||||||
|  |  * Try TGS specified with '-S', | ||||||
|  |  * then TGS of client realm, | ||||||
|  |  * then if fallback is FALSE: fail, | ||||||
|  |  * otherwise try TGS of default realm, | ||||||
|  |  * and finally first TGT in ccache. | ||||||
|  |  */ | ||||||
| static krb5_error_code | static krb5_error_code | ||||||
| get_server(krb5_context context, | get_server(krb5_context context, | ||||||
|  | 	   krb5_ccache cache, | ||||||
| 	   krb5_principal client, | 	   krb5_principal client, | ||||||
| 	   const char *server, | 	   const char *server, | ||||||
|  | 	   krb5_boolean fallback, | ||||||
| 	   krb5_principal *princ) | 	   krb5_principal *princ) | ||||||
| { | { | ||||||
|  |     krb5_error_code ret = 0; | ||||||
|     krb5_const_realm realm; |     krb5_const_realm realm; | ||||||
|     if (server) |     krb5_realm def_realm; | ||||||
| 	return krb5_parse_name(context, server, princ); |     krb5_cc_cursor cursor; | ||||||
|  |     krb5_creds creds; | ||||||
|  |     const char *pcomp; | ||||||
|  |  | ||||||
|  |     if (tgs_service) | ||||||
|  | 	goto done; | ||||||
|  |  | ||||||
|  |     if (server) { | ||||||
|  | 	ret = krb5_parse_name(context, server, &tgs_service); | ||||||
|  | 	goto done; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     /* Try the client realm first */ | ||||||
|     realm = krb5_principal_get_realm(context, client); |     realm = krb5_principal_get_realm(context, client); | ||||||
|     return krb5_make_principal(context, princ, realm, |     ret = tgs_principal(context, cache, client, realm, &tgs_service); | ||||||
| 			       KRB5_TGS_NAME, realm, NULL); |     if (ret == 0 || ret != KRB5_CC_NOTFOUND) | ||||||
|  | 	goto done; | ||||||
|  |  | ||||||
|  |     if (!fallback) | ||||||
|  | 	return ret; | ||||||
|  |  | ||||||
|  |     /* Next try the default realm */ | ||||||
|  |     ret = krb5_get_default_realm(context, &def_realm); | ||||||
|  |     if (ret) | ||||||
|  | 	return ret; | ||||||
|  |     ret = tgs_principal(context, cache, client, def_realm, &tgs_service); | ||||||
|  |     free(def_realm); | ||||||
|  |     if (ret == 0 || ret != KRB5_CC_NOTFOUND) | ||||||
|  | 	goto done; | ||||||
|  |  | ||||||
|  |     /* Finally try the first TGT with instance == realm in the cache */ | ||||||
|  |     ret = krb5_cc_start_seq_get(context, cache, &cursor); | ||||||
|  |     if (ret) | ||||||
|  | 	return ret; | ||||||
|  |  | ||||||
|  |     for (/**/; ret == 0; krb5_free_cred_contents (context, &creds)) { | ||||||
|  |  | ||||||
|  | 	ret = krb5_cc_next_cred(context, cache, &cursor, &creds); | ||||||
|  | 	if (ret) | ||||||
|  | 	    break; | ||||||
|  |         if (creds.server->name.name_string.len != 2) | ||||||
|  | 	    continue; | ||||||
|  | 	pcomp = krb5_principal_get_comp_string(context, creds.server, 0); | ||||||
|  | 	if (strcmp(pcomp, KRB5_TGS_NAME) != 0) | ||||||
|  | 	    continue; | ||||||
|  | 	realm = krb5_principal_get_realm(context, creds.server); | ||||||
|  |         pcomp = krb5_principal_get_comp_string(context, creds.server, 1); | ||||||
|  | 	if (strcmp(realm, pcomp) != 0) | ||||||
|  | 	    continue; | ||||||
|  | 	ret = krb5_copy_principal(context, creds.server, &tgs_service); | ||||||
|  | 	break; | ||||||
|  |     } | ||||||
|  |     if (ret == KRB5_CC_END) { | ||||||
|  | 	ret = KRB5_CC_NOTFOUND; | ||||||
|  | 	krb5_set_error_message(context, ret, | ||||||
|  | 			       N_("Credential cache contains no TGTs", "")); | ||||||
|  |     } | ||||||
|  |     krb5_cc_end_seq_get(context, cache, &cursor); | ||||||
|  |  | ||||||
|  | done: | ||||||
|  |     if (!ret) | ||||||
|  | 	ret = krb5_copy_principal(context, tgs_service, princ); | ||||||
|  |     return ret; | ||||||
| } | } | ||||||
|  |  | ||||||
| static krb5_error_code | static krb5_error_code | ||||||
| @@ -333,7 +440,7 @@ renew_validate(krb5_context context, | |||||||
| 				    KRB5_ANON_MATCH_UNAUTHENTICATED)) | 				    KRB5_ANON_MATCH_UNAUTHENTICATED)) | ||||||
| 	ret = get_anon_pkinit_tgs_name(context, cache, &in.server); | 	ret = get_anon_pkinit_tgs_name(context, cache, &in.server); | ||||||
|     else |     else | ||||||
| 	ret = get_server(context, in.client, server, &in.server); | 	ret = get_server(context, cache, in.client, server, TRUE, &in.server); | ||||||
|     if (ret) { |     if (ret) { | ||||||
| 	krb5_warn(context, ret, "get_server"); | 	krb5_warn(context, ret, "get_server"); | ||||||
| 	goto out; | 	goto out; | ||||||
| @@ -855,7 +962,10 @@ ticket_lifetime(krb5_context context, krb5_ccache cache, krb5_principal client, | |||||||
| 	krb5_warn(context, ret, "krb5_cc_get_principal"); | 	krb5_warn(context, ret, "krb5_cc_get_principal"); | ||||||
| 	return 0; | 	return 0; | ||||||
|     } |     } | ||||||
|     ret = get_server(context, in_cred.client, server, &in_cred.server); |  | ||||||
|  |     /* Determine TGS principal without fallback */ | ||||||
|  |     ret = get_server(context, cache, in_cred.client, server, FALSE, | ||||||
|  | 		     &in_cred.server); | ||||||
|     if (ret) { |     if (ret) { | ||||||
| 	krb5_free_principal(context, in_cred.client); | 	krb5_free_principal(context, in_cred.client); | ||||||
| 	krb5_warn(context, ret, "get_server"); | 	krb5_warn(context, ret, "get_server"); | ||||||
|   | |||||||
| @@ -314,47 +314,29 @@ do_delegation (krb5_context context, | |||||||
| 	       krb5_auth_context ac, | 	       krb5_auth_context ac, | ||||||
| 	       krb5_ccache ccache, | 	       krb5_ccache ccache, | ||||||
| 	       krb5_creds *cred, | 	       krb5_creds *cred, | ||||||
| 	       krb5_const_principal name, | 	       krb5_const_principal server, | ||||||
| 	       krb5_data *fwd_data, | 	       krb5_data *fwd_data, | ||||||
| 	       uint32_t flagmask, | 	       uint32_t flagmask, | ||||||
| 	       uint32_t *flags) | 	       uint32_t *flags) | ||||||
| { | { | ||||||
|     krb5_creds creds; |  | ||||||
|     KDCOptions fwd_flags; |  | ||||||
|     krb5_error_code kret; |     krb5_error_code kret; | ||||||
|  |     krb5_principal client; | ||||||
|  |     const char *host; | ||||||
|  |  | ||||||
|     memset (&creds, 0, sizeof(creds)); |  | ||||||
|     krb5_data_zero (fwd_data); |     krb5_data_zero (fwd_data); | ||||||
|  |  | ||||||
|     kret = krb5_cc_get_principal(context, ccache, &creds.client); |     kret = krb5_cc_get_principal(context, ccache, &client); | ||||||
|     if (kret) |     if (kret) | ||||||
| 	goto out; | 	goto out; | ||||||
|  |  | ||||||
|     kret = krb5_make_principal(context, |     /* We can't generally enforce server.name_type == KRB5_NT_SRV_HST */ | ||||||
| 			       &creds.server, |     if (server->name.name_string.len < 2) | ||||||
| 			       creds.client->realm, |  | ||||||
| 			       KRB5_TGS_NAME, |  | ||||||
| 			       creds.client->realm, |  | ||||||
| 			       NULL); |  | ||||||
|     if (kret) |  | ||||||
| 	goto out; | 	goto out; | ||||||
|  |     host = krb5_principal_get_comp_string(context, server, 1); | ||||||
|  |  | ||||||
|     creds.times.endtime = 0; | #define FWDABLE 1 | ||||||
|  |     kret = krb5_fwd_tgt_creds(context, ac, host, client, server, ccache, | ||||||
|     memset(&fwd_flags, 0, sizeof(fwd_flags)); | 			      FWDABLE, fwd_data); | ||||||
|     fwd_flags.forwarded = 1; |  | ||||||
|     fwd_flags.forwardable = 1; |  | ||||||
|  |  | ||||||
|     if (name->name.name_string.len < 2) |  | ||||||
| 	goto out; |  | ||||||
|  |  | ||||||
|     kret = krb5_get_forwarded_creds(context, |  | ||||||
| 				    ac, |  | ||||||
| 				    ccache, |  | ||||||
| 				    KDCOptions2int(fwd_flags), |  | ||||||
| 				    name->name.name_string.val[1], |  | ||||||
| 				    &creds, |  | ||||||
| 				    fwd_data); |  | ||||||
|  |  | ||||||
|  out: |  out: | ||||||
|     if (kret) |     if (kret) | ||||||
| @@ -362,10 +344,8 @@ do_delegation (krb5_context context, | |||||||
|     else |     else | ||||||
| 	*flags |= flagmask; | 	*flags |= flagmask; | ||||||
|  |  | ||||||
|     if (creds.client) |     if (client) | ||||||
| 	krb5_free_principal(context, creds.client); | 	krb5_free_principal(context, client); | ||||||
|     if (creds.server) |  | ||||||
| 	krb5_free_principal(context, creds.server); |  | ||||||
| } | } | ||||||
|  |  | ||||||
| /* | /* | ||||||
|   | |||||||
| @@ -1481,6 +1481,8 @@ krb5_make_addrport (krb5_context context, | |||||||
|     size_t len = addr->address.length + 2 + 4 * 4; |     size_t len = addr->address.length + 2 + 4 * 4; | ||||||
|     u_char *p; |     u_char *p; | ||||||
|  |  | ||||||
|  |     /* XXX Make this assume port == 0 -> port is absent */ | ||||||
|  |  | ||||||
|     *res = malloc (sizeof(**res)); |     *res = malloc (sizeof(**res)); | ||||||
|     if (*res == NULL) |     if (*res == NULL) | ||||||
| 	return krb5_enomem(context); | 	return krb5_enomem(context); | ||||||
|   | |||||||
| @@ -33,6 +33,14 @@ | |||||||
|  |  | ||||||
| #include "krb5_locl.h" | #include "krb5_locl.h" | ||||||
|  |  | ||||||
|  | static krb5_error_code set_tgs_creds(krb5_context, krb5_ccache, | ||||||
|  |                                      krb5_const_principal, | ||||||
|  |                                      krb5_const_principal, krb5_creds *); | ||||||
|  | static krb5_error_code get_cred(krb5_context, krb5_ccache, krb5_creds *, | ||||||
|  |                                 krb5_flags, const char *, krb5_creds **); | ||||||
|  | static krb5_error_code get_addresses(krb5_context, krb5_ccache, krb5_creds *, | ||||||
|  |                                      const char *, krb5_addresses *); | ||||||
|  |  | ||||||
| static krb5_error_code | static krb5_error_code | ||||||
| add_addrs(krb5_context context, | add_addrs(krb5_context context, | ||||||
| 	  krb5_addresses *addr, | 	  krb5_addresses *addr, | ||||||
| @@ -85,6 +93,12 @@ fail: | |||||||
|  * forwardable if forwardable, and returning the blob of data to sent |  * forwardable if forwardable, and returning the blob of data to sent | ||||||
|  * in out_data.  If hostname == NULL, pick it from server. |  * in out_data.  If hostname == NULL, pick it from server. | ||||||
|  * |  * | ||||||
|  |  * If the server's realm is configured for delegation of destination | ||||||
|  |  * TGTs, forward a TGT for the server realm, rather than the client | ||||||
|  |  * realm. This works better with destinations on the far side of a | ||||||
|  |  * firewall. We also forward the destination TGT when the client | ||||||
|  |  * TGT is not available (we may have just the destination TGT). | ||||||
|  |  * | ||||||
|  * @param context A kerberos 5 context. |  * @param context A kerberos 5 context. | ||||||
|  * @param auth_context the auth context with the key to encrypt the out_data. |  * @param auth_context the auth context with the key to encrypt the out_data. | ||||||
|  * @param hostname the host to forward the tickets too. |  * @param hostname the host to forward the tickets too. | ||||||
| @@ -103,8 +117,8 @@ KRB5_LIB_FUNCTION krb5_error_code KRB5_LIB_CALL | |||||||
| krb5_fwd_tgt_creds(krb5_context	context, | krb5_fwd_tgt_creds(krb5_context	context, | ||||||
| 		   krb5_auth_context	auth_context, | 		   krb5_auth_context	auth_context, | ||||||
| 		   const char		*hostname, | 		   const char		*hostname, | ||||||
| 		    krb5_principal	client, | 		   krb5_const_principal	client, | ||||||
| 		    krb5_principal	server, | 		   krb5_const_principal	server, | ||||||
| 		   krb5_ccache		ccache, | 		   krb5_ccache		ccache, | ||||||
| 		   int			forwardable, | 		   int			forwardable, | ||||||
| 		   krb5_data		*out_data) | 		   krb5_data		*out_data) | ||||||
| @@ -112,7 +126,6 @@ krb5_fwd_tgt_creds (krb5_context	context, | |||||||
|     krb5_flags flags = 0; |     krb5_flags flags = 0; | ||||||
|     krb5_creds creds; |     krb5_creds creds; | ||||||
|     krb5_error_code ret; |     krb5_error_code ret; | ||||||
|     krb5_const_realm client_realm; |  | ||||||
|  |  | ||||||
|     flags |= KDC_OPT_FORWARDED; |     flags |= KDC_OPT_FORWARDED; | ||||||
|  |  | ||||||
| @@ -131,17 +144,11 @@ krb5_fwd_tgt_creds (krb5_context	context, | |||||||
| 	    hostname = host; | 	    hostname = host; | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     client_realm = krb5_principal_get_realm(context, client); |     /* | ||||||
|  |      * Fill-in the request creds, the server principal will be the TGS | ||||||
|     memset (&creds, 0, sizeof(creds)); |      * of either the client's or the server's realm. | ||||||
|     creds.client = client; |      */ | ||||||
|  |     ret = set_tgs_creds(context, ccache, client, server, &creds); | ||||||
|     ret = krb5_make_principal(context, |  | ||||||
| 			      &creds.server, |  | ||||||
| 			      client_realm, |  | ||||||
| 			      KRB5_TGS_NAME, |  | ||||||
| 			      client_realm, |  | ||||||
| 			      NULL); |  | ||||||
|     if (ret) |     if (ret) | ||||||
| 	return ret; | 	return ret; | ||||||
|  |  | ||||||
| @@ -152,6 +159,8 @@ krb5_fwd_tgt_creds (krb5_context	context, | |||||||
| 				    hostname, | 				    hostname, | ||||||
| 				    &creds, | 				    &creds, | ||||||
| 				    out_data); | 				    out_data); | ||||||
|  |  | ||||||
|  |     krb5_free_cred_contents(context, &creds); | ||||||
|     return ret; |     return ret; | ||||||
| } | } | ||||||
|  |  | ||||||
| @@ -192,273 +201,167 @@ krb5_get_forwarded_creds (krb5_context	    context, | |||||||
| 			  krb5_data         *out_data) | 			  krb5_data         *out_data) | ||||||
| { | { | ||||||
|     krb5_error_code ret; |     krb5_error_code ret; | ||||||
|     krb5_creds *out_creds; |     krb5_creds *creds; | ||||||
|     krb5_addresses addrs, *paddrs; |  | ||||||
|     KRB_CRED cred; |     /* Obtain the requested TGT */ | ||||||
|     KrbCredInfo *krb_cred_info; |     ret = get_cred(context, ccache, in_creds, flags, hostname, &creds); | ||||||
|     EncKrbCredPart enc_krb_cred_part; |     if (ret) | ||||||
|     size_t len; |         return ret; | ||||||
|     unsigned char *buf; |  | ||||||
|     size_t buf_size; |     /* Forward obtained creds */ | ||||||
|     krb5_kdc_flags kdc_flags; |     ret = _krb5_mk_1cred(context, auth_context, creds, out_data, NULL); | ||||||
|     krb5_crypto crypto; |     krb5_free_creds(context, creds); | ||||||
|     struct addrinfo *ai; |     return ret; | ||||||
|     krb5_creds *ticket; | } | ||||||
|  |  | ||||||
|  | /* | ||||||
|  |  * Get a TGT for forwarding to hostname. If the client TGT is | ||||||
|  |  * addressless, the forwarded ticket will also be addressless. | ||||||
|  |  * | ||||||
|  |  * If the TGT has any addresses, hostname will be used to determine | ||||||
|  |  * the address to forward the ticket to. Thus, since this might use DNS, | ||||||
|  |  * it's insecure and also may not capture all the addresses of the host. | ||||||
|  |  * In general addressless tickets are more robust, be it at a small | ||||||
|  |  * security penalty. | ||||||
|  |  * | ||||||
|  |  * @param context A kerberos 5 context. | ||||||
|  |  * @param ccache The credential cache to use | ||||||
|  |  * @param creds Creds with client and server principals | ||||||
|  |  * @param flags The flags to control the resulting ticket flags | ||||||
|  |  * @param hostname The hostname of server | ||||||
|  |  * @param out_creds The resulting credential | ||||||
|  |  * | ||||||
|  |  * @return Return an error code or 0. | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | static krb5_error_code | ||||||
|  | get_cred(krb5_context      context, | ||||||
|  | 	 krb5_ccache       ccache, | ||||||
|  | 	 krb5_creds	   *creds, | ||||||
|  | 	 krb5_flags        flags, | ||||||
|  | 	 const char        *hostname, | ||||||
|  | 	 krb5_creds        **out_creds) | ||||||
|  | { | ||||||
|  |     krb5_error_code ret; | ||||||
|  |     krb5_kdc_flags kdc_flags; | ||||||
|  |     krb5_addresses addrs; | ||||||
|  |  | ||||||
|     paddrs = NULL; |  | ||||||
|     addrs.len = 0; |     addrs.len = 0; | ||||||
|     addrs.val = NULL; |     addrs.val = NULL; | ||||||
|  |     ret = get_addresses(context, ccache, creds, hostname, &addrs); | ||||||
|     ret = krb5_get_credentials(context, 0, ccache, in_creds, &ticket); |  | ||||||
|     if(ret == 0) { |  | ||||||
| 	if (ticket->addresses.len) |  | ||||||
| 	    paddrs = &addrs; |  | ||||||
| 	krb5_free_creds (context, ticket); |  | ||||||
|     } else { |  | ||||||
| 	krb5_boolean noaddr; |  | ||||||
| 	krb5_appdefault_boolean(context, NULL, |  | ||||||
| 				krb5_principal_get_realm(context, |  | ||||||
| 							 in_creds->client), |  | ||||||
| 				"no-addresses", KRB5_ADDRESSLESS_DEFAULT, |  | ||||||
| 				&noaddr); |  | ||||||
| 	if (!noaddr) |  | ||||||
| 	    paddrs = &addrs; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     /* |  | ||||||
|      * If tickets have addresses, get the address of the remote host. |  | ||||||
|      */ |  | ||||||
|  |  | ||||||
|     if (paddrs != NULL) { |  | ||||||
|  |  | ||||||
| 	ret = getaddrinfo (hostname, NULL, NULL, &ai); |  | ||||||
| 	if (ret) { |  | ||||||
| 	    krb5_error_code ret2 = krb5_eai_to_heim_errno(ret, errno); |  | ||||||
| 	    krb5_set_error_message(context, ret2, |  | ||||||
| 				   N_("resolving host %s failed: %s", |  | ||||||
| 				      "hostname, error"), |  | ||||||
| 				  hostname, gai_strerror(ret)); |  | ||||||
| 	    return ret2; |  | ||||||
| 	} |  | ||||||
|  |  | ||||||
| 	ret = add_addrs (context, &addrs, ai); |  | ||||||
| 	freeaddrinfo (ai); |  | ||||||
|     if (ret) |     if (ret) | ||||||
| 	return ret; | 	return ret; | ||||||
|     } |  | ||||||
|  |  | ||||||
|     kdc_flags.b = int2KDCOptions(flags); |     kdc_flags.b = int2KDCOptions(flags); | ||||||
|  |     ret = krb5_get_kdc_cred(context, ccache, kdc_flags, &addrs, NULL, | ||||||
|  | 			    creds, out_creds); | ||||||
|  |  | ||||||
|     ret = krb5_get_kdc_cred (context, |  | ||||||
| 			     ccache, |  | ||||||
| 			     kdc_flags, |  | ||||||
| 			     paddrs, |  | ||||||
| 			     NULL, |  | ||||||
| 			     in_creds, |  | ||||||
| 			     &out_creds); |  | ||||||
|     krb5_free_addresses(context, &addrs); |     krb5_free_addresses(context, &addrs); | ||||||
|  |     return ret; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | static krb5_error_code | ||||||
|  | set_tgs_creds(krb5_context		context, | ||||||
|  | 	      krb5_ccache		ccache, | ||||||
|  | 	      krb5_const_principal	client, | ||||||
|  | 	      krb5_const_principal	server, | ||||||
|  | 	      krb5_creds		*creds) | ||||||
|  | { | ||||||
|  |     krb5_error_code ret; | ||||||
|  |     krb5_const_realm client_realm; | ||||||
|  |     krb5_const_realm server_realm; | ||||||
|  |     krb5_boolean fwd_dest_tgt; | ||||||
|  |     krb5_creds *client_tgt; | ||||||
|  |  | ||||||
|  |     client_realm = krb5_principal_get_realm(context, client); | ||||||
|  |     server_realm = krb5_principal_get_realm(context, server); | ||||||
|  |  | ||||||
|  |     memset (creds, 0, sizeof(*creds)); | ||||||
|  |     ret = krb5_copy_principal(context, client, &creds->client); | ||||||
|     if (ret) |     if (ret) | ||||||
| 	return ret; | 	return ret; | ||||||
|  |     ret = krb5_make_principal(context, &creds->server, client_realm, | ||||||
|     memset (&cred, 0, sizeof(cred)); | 			      KRB5_TGS_NAME, client_realm, NULL); | ||||||
|     cred.pvno = 5; |  | ||||||
|     cred.msg_type = krb_cred; |  | ||||||
|     ALLOC_SEQ(&cred.tickets, 1); |  | ||||||
|     if (cred.tickets.val == NULL) { |  | ||||||
| 	ret = krb5_enomem(context); |  | ||||||
| 	goto out2; |  | ||||||
|     } |  | ||||||
|     ret = decode_Ticket(out_creds->ticket.data, |  | ||||||
| 			out_creds->ticket.length, |  | ||||||
| 			cred.tickets.val, &len); |  | ||||||
|     if (ret) |  | ||||||
| 	goto out3; |  | ||||||
|  |  | ||||||
|     memset (&enc_krb_cred_part, 0, sizeof(enc_krb_cred_part)); |  | ||||||
|     ALLOC_SEQ(&enc_krb_cred_part.ticket_info, 1); |  | ||||||
|     if (enc_krb_cred_part.ticket_info.val == NULL) { |  | ||||||
| 	ret = krb5_enomem(context); |  | ||||||
| 	goto out4; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     if (auth_context->flags & KRB5_AUTH_CONTEXT_DO_TIME) { |  | ||||||
| 	krb5_timestamp sec; |  | ||||||
| 	int32_t usec; |  | ||||||
|  |  | ||||||
| 	krb5_us_timeofday (context, &sec, &usec); |  | ||||||
|  |  | ||||||
| 	ALLOC(enc_krb_cred_part.timestamp, 1); |  | ||||||
| 	if (enc_krb_cred_part.timestamp == NULL) { |  | ||||||
| 	    ret = krb5_enomem(context); |  | ||||||
| 	    goto out4; |  | ||||||
| 	} |  | ||||||
| 	*enc_krb_cred_part.timestamp = sec; |  | ||||||
| 	ALLOC(enc_krb_cred_part.usec, 1); |  | ||||||
| 	if (enc_krb_cred_part.usec == NULL) { |  | ||||||
| 	    ret = krb5_enomem(context); |  | ||||||
| 	    goto out4; |  | ||||||
| 	} |  | ||||||
| 	*enc_krb_cred_part.usec      = usec; |  | ||||||
|     } else { |  | ||||||
| 	enc_krb_cred_part.timestamp = NULL; |  | ||||||
| 	enc_krb_cred_part.usec = NULL; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     if (auth_context->local_address && auth_context->local_port && paddrs) { |  | ||||||
|  |  | ||||||
| 	ret = krb5_make_addrport (context, |  | ||||||
| 				  &enc_krb_cred_part.s_address, |  | ||||||
| 				  auth_context->local_address, |  | ||||||
| 				  auth_context->local_port); |  | ||||||
| 	if (ret) |  | ||||||
| 	    goto out4; |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     if (auth_context->remote_address) { |  | ||||||
| 	if (auth_context->remote_port) { |  | ||||||
| 	    krb5_boolean noaddr; |  | ||||||
| 	    krb5_const_realm srealm; |  | ||||||
|  |  | ||||||
| 	    srealm = krb5_principal_get_realm(context, out_creds->server); |  | ||||||
| 	    /* Is this correct, and should we use the paddrs == NULL |  | ||||||
|                trick here as well? Having an address-less ticket may |  | ||||||
|                indicate that we don't know our own global address, but |  | ||||||
|                it does not necessary mean that we don't know the |  | ||||||
|                server's. */ |  | ||||||
| 	    krb5_appdefault_boolean(context, NULL, srealm, "no-addresses", |  | ||||||
| 				    FALSE, &noaddr); |  | ||||||
| 	    if (!noaddr) { |  | ||||||
| 		ret = krb5_make_addrport (context, |  | ||||||
| 					  &enc_krb_cred_part.r_address, |  | ||||||
| 					  auth_context->remote_address, |  | ||||||
| 					  auth_context->remote_port); |  | ||||||
| 		if (ret) |  | ||||||
| 		    goto out4; |  | ||||||
| 	    } |  | ||||||
| 	} else { |  | ||||||
| 	    ALLOC(enc_krb_cred_part.r_address, 1); |  | ||||||
| 	    if (enc_krb_cred_part.r_address == NULL) { |  | ||||||
| 		ret = krb5_enomem(context); |  | ||||||
| 		goto out4; |  | ||||||
| 	    } |  | ||||||
|  |  | ||||||
| 	    ret = krb5_copy_address (context, auth_context->remote_address, |  | ||||||
| 				     enc_krb_cred_part.r_address); |  | ||||||
| 	    if (ret) |  | ||||||
| 		goto out4; |  | ||||||
| 	} |  | ||||||
|     } |  | ||||||
|  |  | ||||||
|     /* fill ticket_info.val[0] */ |  | ||||||
|  |  | ||||||
|     enc_krb_cred_part.ticket_info.len = 1; |  | ||||||
|  |  | ||||||
|     krb_cred_info = enc_krb_cred_part.ticket_info.val; |  | ||||||
|  |  | ||||||
|     ret = copy_EncryptionKey (&out_creds->session, &krb_cred_info->key); |  | ||||||
|     if (ret) |  | ||||||
| 	goto out4; |  | ||||||
|     ALLOC(krb_cred_info->prealm, 1); |  | ||||||
|     ret = copy_Realm (&out_creds->client->realm, krb_cred_info->prealm); |  | ||||||
|     if (ret) |  | ||||||
| 	goto out4; |  | ||||||
|     ALLOC(krb_cred_info->pname, 1); |  | ||||||
|     ret = copy_PrincipalName(&out_creds->client->name, krb_cred_info->pname); |  | ||||||
|     if (ret) |  | ||||||
| 	goto out4; |  | ||||||
|     ALLOC(krb_cred_info->flags, 1); |  | ||||||
|     *krb_cred_info->flags          = out_creds->flags.b; |  | ||||||
|     ALLOC(krb_cred_info->authtime, 1); |  | ||||||
|     *krb_cred_info->authtime       = out_creds->times.authtime; |  | ||||||
|     ALLOC(krb_cred_info->starttime, 1); |  | ||||||
|     *krb_cred_info->starttime      = out_creds->times.starttime; |  | ||||||
|     ALLOC(krb_cred_info->endtime, 1); |  | ||||||
|     *krb_cred_info->endtime        = out_creds->times.endtime; |  | ||||||
|     ALLOC(krb_cred_info->renew_till, 1); |  | ||||||
|     *krb_cred_info->renew_till = out_creds->times.renew_till; |  | ||||||
|     ALLOC(krb_cred_info->srealm, 1); |  | ||||||
|     ret = copy_Realm (&out_creds->server->realm, krb_cred_info->srealm); |  | ||||||
|     if (ret) |  | ||||||
| 	goto out4; |  | ||||||
|     ALLOC(krb_cred_info->sname, 1); |  | ||||||
|     ret = copy_PrincipalName (&out_creds->server->name, krb_cred_info->sname); |  | ||||||
|     if (ret) |  | ||||||
| 	goto out4; |  | ||||||
|     ALLOC(krb_cred_info->caddr, 1); |  | ||||||
|     ret = copy_HostAddresses (&out_creds->addresses, krb_cred_info->caddr); |  | ||||||
|     if (ret) |  | ||||||
| 	goto out4; |  | ||||||
|  |  | ||||||
|     krb5_free_creds (context, out_creds); |  | ||||||
|  |  | ||||||
|     /* encode EncKrbCredPart */ |  | ||||||
|  |  | ||||||
|     ASN1_MALLOC_ENCODE(EncKrbCredPart, buf, buf_size, |  | ||||||
| 		       &enc_krb_cred_part, &len, ret); |  | ||||||
|     free_EncKrbCredPart (&enc_krb_cred_part); |  | ||||||
|     if (ret) { |     if (ret) { | ||||||
| 	free_KRB_CRED(&cred); | 	krb5_free_principal(context, creds->client); | ||||||
| 	return ret; | 	return ret; | ||||||
|     } |     } | ||||||
|     if(buf_size != len) |  | ||||||
| 	krb5_abortx(context, "internal error in ASN.1 encoder"); |  | ||||||
|  |  | ||||||
|     /** |  | ||||||
|      * Some older of the MIT gssapi library used clear-text tickets |  | ||||||
|      * (warped inside AP-REQ encryption), use the krb5_auth_context |  | ||||||
|      * flag KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED to support those |  | ||||||
|      * tickets. The session key is used otherwise to encrypt the |  | ||||||
|      * forwarded ticket. |  | ||||||
|      */ |  | ||||||
|  |  | ||||||
|     if (auth_context->flags & KRB5_AUTH_CONTEXT_CLEAR_FORWARDED_CRED) { |  | ||||||
| 	cred.enc_part.etype = KRB5_ENCTYPE_NULL; |  | ||||||
| 	cred.enc_part.kvno = NULL; |  | ||||||
| 	cred.enc_part.cipher.data = buf; |  | ||||||
| 	cred.enc_part.cipher.length = buf_size; |  | ||||||
|     } else { |  | ||||||
|     /* |     /* | ||||||
| 	 * Here older versions then 0.7.2 of Heimdal used the local or |      * Optionally delegate a TGT for the server's realm, rather than | ||||||
| 	 * remote subkey. That is wrong, the session key should be |      * the client's. Do this also when we don't have a client realm TGT. | ||||||
| 	 * used. Heimdal 0.7.2 and newer have code to try both in the |      * | ||||||
| 	 * receiving end. |      * XXX: Note, when we have a start-realm, and delegate-destination-tgt | ||||||
|  |      * is not set, we must use the start-realm. | ||||||
|      */ |      */ | ||||||
|  |     krb5_appdefault_boolean(context, NULL, server_realm, | ||||||
|  | 			    "delegate-destination-tgt", FALSE, &fwd_dest_tgt); | ||||||
|  |  | ||||||
| 	ret = krb5_crypto_init(context, auth_context->keyblock, 0, &crypto); |     if (!fwd_dest_tgt) { | ||||||
| 	if (ret) { | 	ret = krb5_get_credentials(context, KRB5_GC_CACHED, ccache, creds, | ||||||
| 	    free(buf); | 				   &client_tgt); | ||||||
| 	    free_KRB_CRED(&cred); | 	if (ret == 0) { | ||||||
| 	    return ret; | 	    krb5_free_creds(context, client_tgt); | ||||||
| 	} |  | ||||||
| 	ret = krb5_encrypt_EncryptedData (context, |  | ||||||
| 					  crypto, |  | ||||||
| 					  KRB5_KU_KRB_CRED, |  | ||||||
| 					  buf, |  | ||||||
| 					  len, |  | ||||||
| 					  0, |  | ||||||
| 					  &cred.enc_part); |  | ||||||
| 	free(buf); |  | ||||||
| 	krb5_crypto_destroy(context, crypto); |  | ||||||
| 	if (ret) { |  | ||||||
| 	    free_KRB_CRED(&cred); |  | ||||||
| 	    return ret; | 	    return ret; | ||||||
| 	} | 	} | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     ASN1_MALLOC_ENCODE(KRB_CRED, buf, buf_size, &cred, &len, ret); |     /* | ||||||
|     free_KRB_CRED (&cred); |      * Client TGT inapplicable or unavailable | ||||||
|     if (ret) |      */ | ||||||
| 	return ret; |     krb5_free_principal(context, creds->server); | ||||||
|     if(buf_size != len) |     creds->server = 0; | ||||||
| 	krb5_abortx(context, "internal error in ASN.1 encoder"); |     return krb5_make_principal(context, &creds->server, server_realm, | ||||||
|     out_data->length = len; | 			       KRB5_TGS_NAME, server_realm, NULL); | ||||||
|     out_data->data   = buf; | } | ||||||
|  |  | ||||||
|  | /* | ||||||
|  |  * Obtain address list for hostname if server realm policy is not addressless. | ||||||
|  |  */ | ||||||
|  | static krb5_error_code | ||||||
|  | get_addresses(krb5_context      context, | ||||||
|  | 	      krb5_ccache       ccache, | ||||||
|  | 	      krb5_creds        *creds, | ||||||
|  | 	      const char        *hostname, | ||||||
|  | 	      krb5_addresses    *addrs) | ||||||
|  | { | ||||||
|  |     krb5_error_code ret; | ||||||
|  |     krb5_creds *ticket; | ||||||
|  |     krb5_const_realm realm; | ||||||
|  |     krb5_boolean noaddr; | ||||||
|  |     struct addrinfo *ai; | ||||||
|  |     int eai; | ||||||
|  |  | ||||||
|  |     if (hostname == 0) | ||||||
| 	return 0; | 	return 0; | ||||||
|  out4: |  | ||||||
|     free_EncKrbCredPart(&enc_krb_cred_part); |     ret = krb5_get_credentials(context, 0, ccache, creds, &ticket); | ||||||
|  out3: |     if (ret == 0) { | ||||||
|     free_KRB_CRED(&cred); |         noaddr = (ticket->addresses.len == 0) ? TRUE : FALSE; | ||||||
|  out2: | 	krb5_free_creds(context, ticket); | ||||||
|     krb5_free_creds (context, out_creds); |     } else { | ||||||
|  | 	realm = krb5_principal_get_realm(context, creds->server); | ||||||
|  | 	krb5_appdefault_boolean(context, NULL, realm, "no-addresses", | ||||||
|  | 				KRB5_ADDRESSLESS_DEFAULT, &noaddr); | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     if (noaddr) | ||||||
|  | 	return 0; | ||||||
|  |  | ||||||
|  |     /* Need addresses, get the address of the remote host. */ | ||||||
|  |  | ||||||
|  |     eai = getaddrinfo (hostname, NULL, NULL, &ai); | ||||||
|  |     if (eai) { | ||||||
|  | 	ret = krb5_eai_to_heim_errno(eai, errno); | ||||||
|  | 	krb5_set_error_message(context, ret, | ||||||
|  | 			       N_("resolving host %s failed: %s", | ||||||
|  | 				  "hostname, error"), | ||||||
|  | 			       hostname, gai_strerror(eai)); | ||||||
|  | 	return ret; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     ret = add_addrs(context, addrs, ai); | ||||||
|  |     freeaddrinfo(ai); | ||||||
|  |  | ||||||
|     return ret; |     return ret; | ||||||
| } | } | ||||||
|   | |||||||
| @@ -162,6 +162,19 @@ If a principal argument is specified, it is used as an explicit realm name for | |||||||
| anonymous pkinit even without an | anonymous pkinit even without an | ||||||
| .Li @ | .Li @ | ||||||
| prefix. | prefix. | ||||||
|  | .It Li delegate-destination-tgt = Va boolean | ||||||
|  | When forwarding credentials to a remote host, forward a TGT for the | ||||||
|  | realm of the destination host rather than a TGT for the user's realm. | ||||||
|  | This is useful when hosts in the remote realm should not or cannot | ||||||
|  | (e.g. firewalled from user realm's KDC) obtain tickets for services | ||||||
|  | in the user's realm. When the user's realm and the host's realm are | ||||||
|  | the same, this parameter has no effect.  The setting can be applied | ||||||
|  | to a single realm as follows: | ||||||
|  | .Bd -literal -offset indent | ||||||
|  | EXAMPLE.COM = { | ||||||
|  | 	delegate-destination-tgt = true | ||||||
|  | } | ||||||
|  | .Ed | ||||||
| .El | .El | ||||||
| .It Li [libdefaults] | .It Li [libdefaults] | ||||||
| .Bl -tag -width "xxx" -offset indent | .Bl -tag -width "xxx" -offset indent | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user