kdc: Add warn_ticket_addresses config option

2021-04-13 23:20:59 -05:00
parent 6633f6e525
commit a5e289f4f7
7 changed files with 54 additions and 12 deletions
--- a/lib/krb5/krb5.conf.5
+++ b/lib/krb5/krb5.conf.5
@@ -773,6 +773,9 @@ target service principal's hdb entry's current keyset.  Defaults to TRUE.
 .It Li check-ticket-addresses = Va BOOL
 Verify the addresses in the tickets used in tgs requests.
 .\" XXX
+.It Li warn_ticket_addresses = Va BOOL
+Warn about, but allow, usage of tickets from hosts that don't match the
+addresses in the tickets.
 .It Li allow-null-ticket-addresses = Va BOOL
 Allow address-less tickets.
 .\" XXX
--- a/lib/krb5/krb5.h
+++ b/lib/krb5/krb5.h
@@ -439,6 +439,7 @@ typedef union {
 /* flags for krb5_verify_ap_req */

 #define KRB5_VERIFY_AP_REQ_IGNORE_INVALID	(1 << 0)
+#define KRB5_VERIFY_AP_REQ_IGNORE_ADDRS		(1 << 1)

 #define KRB5_GC_CACHED			(1U << 0)
 #define KRB5_GC_USER_USER		(1U << 1)
--- a/lib/krb5/rd_req.c
+++ b/lib/krb5/rd_req.c
@@ -307,6 +307,7 @@ krb5_verify_ap_req2(krb5_context context,
    krb5_auth_context ac;
    krb5_error_code ret;
    EtypeList etypes;
+    int badaddr = 0;

    memset(&etypes, 0, sizeof(etypes));

@@ -391,9 +392,19 @@ krb5_verify_ap_req2(krb5_context context,
 	&& !krb5_address_search (context,
 				 ac->remote_address,
 				 t->ticket.caddr)) {
-	ret = KRB5KRB_AP_ERR_BADADDR;
-	krb5_clear_error_message (context);
-	goto out;
+        /*
+         * Hack alert.  If KRB5_VERIFY_AP_REQ_IGNORE_ADDRS and the client's
+         * address didn't check out then we'll return KRB5KRB_AP_ERR_BADADDR
+         * even on success, and we'll let the caller figure it out because
+         * `*ticket != NULL' or `*auth_context != NULL'.
+         */
+        if ((flags & KRB5_VERIFY_AP_REQ_IGNORE_ADDRS)) {
+            badaddr = 1;
+        } else {
+            ret = KRB5KRB_AP_ERR_BADADDR;
+            krb5_clear_error_message(context);
+            goto out;
+        }
    }

    /* check timestamp in authenticator */
@@ -463,6 +474,11 @@ krb5_verify_ap_req2(krb5_context context,
    } else
 	krb5_auth_con_free (context, ac);
    free_EtypeList(&etypes);
+
+    if (badaddr) {
+        krb5_clear_error_message(context);
+        return KRB5KRB_AP_ERR_BADADDR;
+    }
    return 0;
 out:
    free_EtypeList(&etypes);