kdc: Add [kdc] params to control PA-ENC-TIMESTAMP

kdc/default_config.c

@@ -100,6 +100,8 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
     c->historical_anon_realm = FALSE;
     c->strict_nametypes = FALSE;
     c->trpolicy = TRPOLICY_ALWAYS_CHECK;
+    c->enable_armored_pa_enc_timestamp = TRUE;
+    c->enable_unarmored_pa_enc_timestamp = TRUE;
     c->enable_pkinit = FALSE;
     c->pkinit_princ_in_cert = TRUE;
     c->pkinit_require_binding = TRUE;
@@ -251,6 +253,21 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
 				      c->kdc_warn_pwexpire,
 				      "kdc", "kdc_warn_pwexpire", NULL);
 
+    c->enable_armored_pa_enc_timestamp =
+	krb5_config_get_bool_default(context,
+				     NULL,
+				     c->enable_armored_pa_enc_timestamp,
+				     "kdc",
+				     "enable_armored_pa_enc_timestamp",
+				     NULL);
+
+    c->enable_unarmored_pa_enc_timestamp =
+	krb5_config_get_bool_default(context,
+				     NULL,
+				     c->enable_unarmored_pa_enc_timestamp,
+				     "kdc",
+				     "enable_unarmored_pa_enc_timestamp",
+				     NULL);
 
     c->enable_pkinit =
 	krb5_config_get_bool_default(context,

kdc/kdc.h

@@ -84,6 +84,9 @@ typedef struct krb5_kdc_configuration {
     krb5_boolean strict_nametypes;
     enum krb5_kdc_trpolicy trpolicy;
 
+    krb5_boolean enable_armored_pa_enc_timestamp;
+    krb5_boolean enable_unarmored_pa_enc_timestamp;
+
     krb5_boolean enable_pkinit;
     krb5_boolean pkinit_princ_in_cert;
     const char *pkinit_kdc_identity;

kdc/kerberos5.c

@@ -727,6 +727,18 @@ pa_enc_ts_validate(astgs_request_t r, const PA_DATA *pa)
     Key *pa_key;
     char *str;
 
+    if (r->armor_crypto && !r->config->enable_armored_pa_enc_timestamp) {
+       ret = KRB5KDC_ERR_POLICY;
+       kdc_log(r->context, r->config, 0,
+               "Armored encrypted timestamp pre-authentication is disabled");
+       return ret;
+    } else if (!r->armor_crypto && !r->config->enable_unarmored_pa_enc_timestamp) {
+       ret = KRB5KDC_ERR_POLICY;
+       kdc_log(r->context, r->config, 0,
+               "Unarmored encrypted timestamp pre-authentication is disabled");
+       return ret;
+    }
+
     if (r->client->entry.flags.locked_out) {
        ret = KRB5KDC_ERR_CLIENT_REVOKED;
        kdc_log(r->context, r->config, 0,

lib/krb5/krb5.conf.5

@@ -805,6 +805,17 @@ addresses in the tickets.
 .It Li allow-null-ticket-addresses = Va BOOL
 Allow address-less tickets.
 .\" XXX
+.It Li enable_armored_pa_enc_timestamp = Va BOOL
+Enable armored encrypted timestamp pre-authentication with key
+strengthening.
+RFC 6113 says not to use PA-ENC-TIMESTAMP in FAST armored tunnels
+as there is a newer replacement, PA-ENC-CHALLENGE, but for
+interoperability with earlier versions of Heimdal, this is
+enabled by default for now.
+.It Li enable_unarmored_pa_enc_timestamp = Va BOOL
+Enable unarmored encrypted timestamp pre-authentication.
+Enabled by default for now, but in a future release will be
+disabled.
 .It Li allow-anonymous = Va BOOL
 If the kdc is allowed to hand out anonymous tickets.
 .It Li synthetic_clients = Va BOOL