kdc: Add [kdc] params to control PA-ENC-TIMESTAMP

2021-12-08 21:22:09 -06:00
parent 717ad8b043
commit 660f875a34
4 changed files with 44 additions and 1 deletions
--- a/kdc/default_config.c
+++ b/kdc/default_config.c
@@ -100,6 +100,8 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
    c->historical_anon_realm = FALSE;
    c->strict_nametypes = FALSE;
    c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+    c->enable_armored_pa_enc_timestamp = TRUE;
+    c->enable_unarmored_pa_enc_timestamp = TRUE;
    c->enable_pkinit = FALSE;
    c->pkinit_princ_in_cert = TRUE;
    c->pkinit_require_binding = TRUE;
@@ -251,6 +253,21 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 				      c->kdc_warn_pwexpire,
 				      "kdc", "kdc_warn_pwexpire", NULL);

+    c->enable_armored_pa_enc_timestamp =
+	krb5_config_get_bool_default(context,
+				     NULL,
+				     c->enable_armored_pa_enc_timestamp,
+				     "kdc",
+				     "enable_armored_pa_enc_timestamp",
+				     NULL);
+
+    c->enable_unarmored_pa_enc_timestamp =
+	krb5_config_get_bool_default(context,
+				     NULL,
+				     c->enable_unarmored_pa_enc_timestamp,
+				     "kdc",
+				     "enable_unarmored_pa_enc_timestamp",
+				     NULL);

    c->enable_pkinit =
 	krb5_config_get_bool_default(context,
--- a/kdc/kdc.h
+++ b/kdc/kdc.h
@@ -84,6 +84,9 @@ typedef struct krb5_kdc_configuration {
    krb5_boolean strict_nametypes;
    enum krb5_kdc_trpolicy trpolicy;

+    krb5_boolean enable_armored_pa_enc_timestamp;
+    krb5_boolean enable_unarmored_pa_enc_timestamp;
+
    krb5_boolean enable_pkinit;
    krb5_boolean pkinit_princ_in_cert;
    const char *pkinit_kdc_identity;
--- a/kdc/kerberos5.c
+++ b/kdc/kerberos5.c
@@ -726,7 +726,19 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
    size_t len;
    Key *pa_key;
    char *str;
-	
+
+    if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp) {
+       ret = KRB5KDC_ERR_POLICY;
+       kdc_log(r->context, r->config, 0,
+               "Armored encrypted timestamp pre-authentication is disabled");
+       return ret;
+    } else if (!r->armor_crypto && !r->config->enable_unarmored_pa_enc_timestamp) {
+       ret = KRB5KDC_ERR_POLICY;
+       kdc_log(r->context, r->config, 0,
+               "Unarmored encrypted timestamp pre-authentication is disabled");
+       return ret;
+    }
+
    if (r->client->entry.flags.locked_out) {
       ret = KRB5KDC_ERR_CLIENT_REVOKED;
       kdc_log(r->context, r->config, 0,
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -805,6 +805,17 @@ addresses in the tickets.
 .It Li allow-null-ticket-addresses = Va BOOL
 Allow address-less tickets.
 .\" XXX
+.It Li enable_armored_pa_enc_timestamp = Va BOOL
+Enable armored encrypted timestamp pre-authentication with key
+strengthening.
+RFC 6113 says not to use PA-ENC-TIMESTAMP in FAST armored tunnels
+as there is a newer replacement, PA-ENC-CHALLENGE, but for
+interoperability with earlier versions of Heimdal, this is
+enabled by default for now.
+.It Li enable_unarmored_pa_enc_timestamp = Va BOOL
+Enable unarmored encrypted timestamp pre-authentication.
+Enabled by default for now, but in a future release will be
+disabled.
 .It Li allow-anonymous = Va BOOL
 If the kdc is allowed to hand out anonymous tickets.
 .It Li synthetic_clients = Va BOOL