oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: Add [kdc] params to control PA-ENC-TIMESTAMP

Browse Source
This commit is contained in:
Nicolas Williams
2021-12-08 21:22:09 -06:00
committed by Luke Howard
parent 717ad8b043
commit 660f875a34
4 changed files with 44 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
kdc/default_config.c
View File

@@ -100,6 +100,8 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->historical_anon_realm = FALSE; c->historical_anon_realm = FALSE;
c->strict_nametypes = FALSE; c->strict_nametypes = FALSE;
c->trpolicy = TRPOLICY_ALWAYS_CHECK; c->trpolicy = TRPOLICY_ALWAYS_CHECK;
c->enable_armored_pa_enc_timestamp = TRUE;
c->enable_unarmored_pa_enc_timestamp = TRUE;
c->enable_pkinit = FALSE; c->enable_pkinit = FALSE;
c->pkinit_princ_in_cert = TRUE; c->pkinit_princ_in_cert = TRUE;
c->pkinit_require_binding = TRUE; c->pkinit_require_binding = TRUE;
@@ -251,6 +253,21 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->kdc_warn_pwexpire, c->kdc_warn_pwexpire,
"kdc", "kdc_warn_pwexpire", NULL); "kdc", "kdc_warn_pwexpire", NULL);
c->enable_armored_pa_enc_timestamp =
krb5_config_get_bool_default(context,
NULL,
c->enable_armored_pa_enc_timestamp,
"kdc",
"enable_armored_pa_enc_timestamp",
NULL);
c->enable_unarmored_pa_enc_timestamp =
krb5_config_get_bool_default(context,
NULL,
c->enable_unarmored_pa_enc_timestamp,
"kdc",
"enable_unarmored_pa_enc_timestamp",
NULL);
c->enable_pkinit = c->enable_pkinit =
krb5_config_get_bool_default(context, krb5_config_get_bool_default(context,

3
kdc/kdc.h
View File

@@ -84,6 +84,9 @@ typedef struct krb5_kdc_configuration {
krb5_boolean strict_nametypes; krb5_boolean strict_nametypes;
enum krb5_kdc_trpolicy trpolicy; enum krb5_kdc_trpolicy trpolicy;
krb5_boolean enable_armored_pa_enc_timestamp;
krb5_boolean enable_unarmored_pa_enc_timestamp;
krb5_boolean enable_pkinit; krb5_boolean enable_pkinit;
krb5_boolean pkinit_princ_in_cert; krb5_boolean pkinit_princ_in_cert;
const char *pkinit_kdc_identity; const char *pkinit_kdc_identity;

12
kdc/kerberos5.c
View File

@@ -727,6 +727,18 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
Key *pa_key; Key *pa_key;
char *str; char *str;
if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(r->context, r->config, 0,
"Armored encrypted timestamp pre-authentication is disabled");
return ret;
} else if (!r->armor_crypto && !r->config->enable_unarmored_pa_enc_timestamp) {
ret = KRB5KDC_ERR_POLICY;
kdc_log(r->context, r->config, 0,
"Unarmored encrypted timestamp pre-authentication is disabled");
return ret;
}
if (r->client->entry.flags.locked_out) { if (r->client->entry.flags.locked_out) {
ret = KRB5KDC_ERR_CLIENT_REVOKED; ret = KRB5KDC_ERR_CLIENT_REVOKED;
kdc_log(r->context, r->config, 0, kdc_log(r->context, r->config, 0,

11
lib/krb5/krb5.conf.5
View File

@@ -805,6 +805,17 @@ addresses in the tickets.
.It Li allow-null-ticket-addresses = Va BOOL .It Li allow-null-ticket-addresses = Va BOOL
Allow address-less tickets. Allow address-less tickets.
.\" XXX .\" XXX
.It Li enable_armored_pa_enc_timestamp = Va BOOL
Enable armored encrypted timestamp pre-authentication with key
strengthening.
RFC 6113 says not to use PA-ENC-TIMESTAMP in FAST armored tunnels
as there is a newer replacement, PA-ENC-CHALLENGE, but for
interoperability with earlier versions of Heimdal, this is
enabled by default for now.
.It Li enable_unarmored_pa_enc_timestamp = Va BOOL
Enable unarmored encrypted timestamp pre-authentication.
Enabled by default for now, but in a future release will be
disabled.
.It Li allow-anonymous = Va BOOL .It Li allow-anonymous = Va BOOL
If the kdc is allowed to hand out anonymous tickets. If the kdc is allowed to hand out anonymous tickets.
.It Li synthetic_clients = Va BOOL .It Li synthetic_clients = Va BOOL