From 90645a3e39b451f2c25e696092f8b5439a5b6661 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Mon, 30 May 2005 10:17:43 +0000 Subject: [PATCH] Add option to disallow getting krbtgt out from from KCM. KCM will do the fetching part itself. git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@15296 ec53bebd-3082-4978-b11e-865c3cabbd6b --- kcm/config.c | 11 +++++++++++ kcm/protocol.c | 9 +++++++++ 2 files changed, 20 insertions(+) diff --git a/kcm/config.c b/kcm/config.c index 6c61e845a..361603409 100644 --- a/kcm/config.c +++ b/kcm/config.c @@ -58,6 +58,7 @@ static const char *system_group = NULL; static const char *renew_life = NULL; static const char *ticket_life = NULL; +int disallow_getting_krbtgt = -1; int name_constraints = -1; static int help_flag; @@ -108,6 +109,10 @@ static struct getargs args[] = { "name-constraints", 'n', arg_negative_flag, &name_constraints, "disable credentials cache name constraints" }, + { + "disallow-getting-krbtgt", 0, arg_flag, &disallow_getting_krbtgt, + "disable fetching krbtgt from the cache" + }, { "renewable-life", 'r', arg_string, &renew_life, "renewable lifetime of system tickets", "time" @@ -296,6 +301,12 @@ ccache_init_system(void) ccache->mode = mode; } + if (disallow_getting_krbtgt == -1) { + disallow_getting_krbtgt = + krb5_config_get_bool_default(kcm_context, NULL, FALSE, "kcm", + "disallow-getting-krbtgt", NULL); + } + /* enqueue default actions for credentials cache */ ret = kcm_ccache_enqueue_default(kcm_context, ccache, NULL); diff --git a/kcm/protocol.c b/kcm/protocol.c index 096fb0455..89300a623 100644 --- a/kcm/protocol.c +++ b/kcm/protocol.c @@ -315,6 +315,15 @@ kcm_op_retrieve(krb5_context context, return ret; } + if (disallow_getting_krbtgt && + mcreds.client->name.name_string.len == 2 && + strcmp(mcreds.client->name.name_string.val[0], KRB5_TGS_NAME) == 0) + { + free(name); + krb5_free_creds_contents(context, &mcreds); + return KRB5_FCC_PERM; + } + ret = kcm_ccache_resolve_client(context, client, opcode, name, &ccache); if (ret) {