oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Make kdc name type strictness configurable

Browse Source
This commit is contained in:
Nicolas Williams
2016-11-13 22:42:49 -06:00
parent 961f543a27
commit 9e2b696190
3 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
kdc/default_config.c
View File

@@ -59,6 +59,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->check_ticket_addresses = TRUE; c->check_ticket_addresses = TRUE;
c->allow_null_ticket_addresses = TRUE; c->allow_null_ticket_addresses = TRUE;
c->allow_anonymous = FALSE; c->allow_anonymous = FALSE;
c->strict_nametypes = FALSE;
c->trpolicy = TRPOLICY_ALWAYS_CHECK; c->trpolicy = TRPOLICY_ALWAYS_CHECK;
c->enable_pkinit = FALSE; c->enable_pkinit = FALSE;
c->pkinit_princ_in_cert = TRUE; c->pkinit_princ_in_cert = TRUE;
@@ -163,6 +164,12 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
"kdc", "kdc",
"allow-anonymous", NULL); "allow-anonymous", NULL);
c->strict_nametypes =
krb5_config_get_bool_default(context, NULL,
c->strict_nametypes,
"kdc",
"strict-nametypes", NULL);
c->max_datagram_reply_length = c->max_datagram_reply_length =
krb5_config_get_int_default(context, krb5_config_get_int_default(context,
NULL, NULL,

1
kdc/kdc.h
View File

@@ -69,6 +69,7 @@ typedef struct krb5_kdc_configuration {
krb5_boolean check_ticket_addresses; krb5_boolean check_ticket_addresses;
krb5_boolean allow_null_ticket_addresses; krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous; krb5_boolean allow_anonymous;
krb5_boolean strict_nametypes;
enum krb5_kdc_trpolicy trpolicy; enum krb5_kdc_trpolicy trpolicy;
krb5_boolean enable_pkinit; krb5_boolean enable_pkinit;

22
kdc/misc.c
View File

@@ -33,6 +33,22 @@
#include "kdc_locl.h" #include "kdc_locl.h"
static int
name_type_ok(krb5_context context,
krb5_kdc_configuration *config,
krb5_const_principal principal)
{
int nt = krb5_principal_get_type(context, principal);
if (!krb5_principal_is_krbtgt(context, principal))
return 1;
if (nt == KRB5_NT_SRV_INST || nt == KRB5_NT_UNKNOWN)
return 1;
if (config->strict_nametypes == 0)
return 1;
return 0;
}
struct timeval _kdc_now; struct timeval _kdc_now;
krb5_error_code krb5_error_code
@@ -44,7 +60,7 @@ _kdc_db_fetch(krb5_context context,
HDB **db, HDB **db,
hdb_entry_ex **h) hdb_entry_ex **h)
{ {
hdb_entry_ex *ent; hdb_entry_ex *ent = NULL;
krb5_error_code ret = HDB_ERR_NOENTRY; krb5_error_code ret = HDB_ERR_NOENTRY;
int i; int i;
unsigned kvno = 0; unsigned kvno = 0;
@@ -53,6 +69,9 @@ _kdc_db_fetch(krb5_context context,
*h = NULL; *h = NULL;
if (!name_type_ok(context, config, principal))
goto out2;
if (kvno_ptr != NULL && *kvno_ptr != 0) { if (kvno_ptr != NULL && *kvno_ptr != 0) {
kvno = *kvno_ptr; kvno = *kvno_ptr;
flags |= HDB_F_KVNO_SPECIFIED; flags |= HDB_F_KVNO_SPECIFIED;
@@ -131,6 +150,7 @@ _kdc_db_fetch(krb5_context context,
} }
} }
out2:
if (ret == HDB_ERR_NOENTRY) { if (ret == HDB_ERR_NOENTRY) {
krb5_set_error_message(context, ret, "no such entry found in hdb"); krb5_set_error_message(context, ret, "no such entry found in hdb");
} }