oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: Improve warn_ticket_addresses feature

Browse Source 
- Don't log "Request from wrong address (ignoring)".
 - Add "wrongaddr=yes" kv to final log message.
 - Add request and ticket addresses (up to 3) to final log message.
This commit is contained in:
Nicolas Williams
2021-05-12 17:54:36 -05:00
parent 8807a0aad9
commit 9ce3cbbf2a
4 changed files with 34 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
kdc/kerberos5.c
View File

@@ -2199,10 +2199,13 @@ _kdc_as_rep(astgs_request_t r)
goto out;
}
if (b->addresses)
_kdc_audit_addaddrs((kdc_request_t)r, b->addresses, "reqaddrs");
/* check for valid set of addresses */
if (!_kdc_check_addresses(r, b->addresses, r->addr)) {
if (r->config->warn_ticket_addresses) {
kdc_log(context, config, 4, "Request from wrong address (ignoring)");
_kdc_audit_addkv((kdc_request_t)r, 0, "wrongaddr", "yes");
} else {
_kdc_set_e_text(r, "Request from wrong address");
ret = KRB5KRB_AP_ERR_BADADDR;

7
kdc/krb5tgs.c
View File

@@ -1351,9 +1351,11 @@ next_kvno:
&ap_req_options,
ticket,
KRB5_KU_TGS_REQ_AUTH);
if (ticket && (*ticket)->ticket.caddr)
_kdc_audit_addaddrs((kdc_request_t)r, (*ticket)->ticket.caddr, "tixaddrs");
if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR &&
*ticket != NULL) {
kdc_log(context, config, 4, "Request from wrong address (ignoring)");
_kdc_audit_addkv((kdc_request_t)r, 0, "wrongaddr", "yes");
ret = 0;
}
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
@@ -2396,10 +2398,11 @@ server_lookup:
if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
if (config->check_ticket_addresses) {
ret = KRB5KRB_AP_ERR_BADADDR;
_kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
kdc_log(context, config, 4, "Request from wrong address");
goto out;
} else if (config->warn_ticket_addresses) {
kdc_log(context, config, 4, "Request from wrong address (ignoring)");
_kdc_audit_addkv((kdc_request_t)priv, 0, "wrongaddr", "yes");
}
}

24
kdc/process.c
View File

@@ -94,6 +94,30 @@ _kdc_audit_addkv_timediff(kdc_request_t r, const char *k,
heim_audit_addkv_timediff((heim_svc_req_desc)r,k, start, end);
}
/*
* Add up to 3 key value pairs to record HostAddresses from request body or
* PA-TGS ticket or whatever.
*/
void
_kdc_audit_addaddrs(kdc_request_t r, HostAddresses *a, const char *key)
{
size_t i;
char buf[128];
if (a->len > 3) {
char numkey[32];
if (snprintf(numkey, sizeof(numkey), "num%s", key) >= sizeof(numkey))
numkey[31] = '\0';
_kdc_audit_addkv(r, 0, numkey, "%llu", (unsigned long long)a->len);
}
for (i = 0; i < 3 && i < a->len; i++) {
if (krb5_print_address(&a->val[0], buf, sizeof(buf), NULL) == 0)
_kdc_audit_addkv(r, 0, key, "%s", buf);
}
}
void
_kdc_audit_trail(kdc_request_t r, krb5_error_code ret)
{

2
tests/kdc/check-bx509.in
View File

@@ -589,7 +589,7 @@ ${kgetcred} -H HTTP/${server}@${R} ||
KRB5CCNAME=$cache $gsstoken HTTP@$server | KRB5_KTNAME="$keytab" $gsstoken -r ||
{ echo "Trivial offline CA test failed (gss-token)"; exit 2; }
grep 'Request from wrong address .ignoring' ${objdir}/messages.log ||
grep 'REQ.*wrongaddr' ${objdir}/messages.log ||
{ echo "KDC not warning about requests from wrong address"; exit 2; }
echo "Fetching a Negotiate token"