oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: Add warn_ticket_addresses config option

Browse Source
This commit is contained in:
Nicolas Williams
2021-04-13 23:20:59 -05:00
parent 6633f6e525
commit a5e289f4f7
7 changed files with 54 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
kdc/default_config.c
View File

@@ -93,6 +93,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->svc_use_strongest_session_key = FALSE; c->svc_use_strongest_session_key = FALSE;
c->use_strongest_server_key = TRUE; c->use_strongest_server_key = TRUE;
c->check_ticket_addresses = TRUE; c->check_ticket_addresses = TRUE;
c->warn_ticket_addresses = FALSE;
c->allow_null_ticket_addresses = TRUE; c->allow_null_ticket_addresses = TRUE;
c->allow_anonymous = FALSE; c->allow_anonymous = FALSE;
c->historical_anon_realm = FALSE; c->historical_anon_realm = FALSE;
@@ -176,6 +177,11 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->check_ticket_addresses, c->check_ticket_addresses,
"kdc", "kdc",
"check-ticket-addresses", NULL); "check-ticket-addresses", NULL);
c->warn_ticket_addresses =
krb5_config_get_bool_default(context, NULL,
c->warn_ticket_addresses,
"kdc",
"warn_ticket_addresses", NULL);
c->allow_null_ticket_addresses = c->allow_null_ticket_addresses =
krb5_config_get_bool_default(context, NULL, krb5_config_get_bool_default(context, NULL,
c->allow_null_ticket_addresses, c->allow_null_ticket_addresses,

1
kdc/kdc.h
View File

@@ -68,6 +68,7 @@ typedef struct krb5_kdc_configuration {
krb5_boolean use_strongest_server_key; krb5_boolean use_strongest_server_key;
krb5_boolean check_ticket_addresses; krb5_boolean check_ticket_addresses;
krb5_boolean warn_ticket_addresses;
krb5_boolean allow_null_ticket_addresses; krb5_boolean allow_null_ticket_addresses;
krb5_boolean allow_anonymous; krb5_boolean allow_anonymous;
krb5_boolean historical_anon_realm; krb5_boolean historical_anon_realm;

9
kdc/kerberos5.c
View File

@@ -1644,10 +1644,15 @@ _kdc_check_addresses(astgs_request_t r, HostAddresses *addresses,
krb5_boolean only_netbios = TRUE; krb5_boolean only_netbios = TRUE;
size_t i; size_t i;
if(config->check_ticket_addresses == 0) if (!config->check_ticket_addresses && !config->warn_ticket_addresses)
return TRUE; return TRUE;
if(addresses == NULL) /*
* Fields of HostAddresses type are always OPTIONAL and should be non-
* empty, but we check for empty just in case as our compiler doesn't
* support size constraints on SEQUENCE OF.
*/
if (addresses == NULL || addresses->len == 0)
return config->allow_null_ticket_addresses; return config->allow_null_ticket_addresses;
for (i = 0; i < addresses->len; ++i) { for (i = 0; i < addresses->len; ++i) {

24
kdc/krb5tgs.c
View File

@@ -1214,7 +1214,7 @@ tgs_parse_request(astgs_request_t r,
krb5_principal princ; krb5_principal princ;
krb5_auth_context ac = NULL; krb5_auth_context ac = NULL;
krb5_flags ap_req_options; krb5_flags ap_req_options;
krb5_flags verify_ap_req_flags; krb5_flags verify_ap_req_flags = 0;
krb5_crypto crypto; krb5_crypto crypto;
krb5uint32 krbtgt_kvno; /* kvno used for the PA-TGS-REQ AP-REQ Ticket */ krb5uint32 krbtgt_kvno; /* kvno used for the PA-TGS-REQ AP-REQ Ticket */
krb5uint32 krbtgt_kvno_try; krb5uint32 krbtgt_kvno_try;
@@ -1337,9 +1337,10 @@ next_kvno:
} }
if (b->kdc_options.validate) if (b->kdc_options.validate)
verify_ap_req_flags = KRB5_VERIFY_AP_REQ_IGNORE_INVALID; verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_IGNORE_INVALID;
else
verify_ap_req_flags = 0; if (r->config->warn_ticket_addresses)
verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_IGNORE_ADDRS;
ret = krb5_verify_ap_req2(context, ret = krb5_verify_ap_req2(context,
&ac, &ac,
@@ -1350,6 +1351,11 @@ next_kvno:
&ap_req_options, &ap_req_options,
ticket, ticket,
KRB5_KU_TGS_REQ_AUTH); KRB5_KU_TGS_REQ_AUTH);
if (r->config->warn_ticket_addresses && ret == KRB5KRB_AP_ERR_BADADDR &&
*ticket != NULL) {
kdc_log(context, config, 4, "Request from wrong address (ignoring)");
ret = 0;
}
if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) { if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY && kvno_search_tries > 0) {
kvno_search_tries--; kvno_search_tries--;
krbtgt_kvno_try--; krbtgt_kvno_try--;
@@ -2388,9 +2394,13 @@ server_lookup:
/* check for valid set of addresses */ /* check for valid set of addresses */
if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) { if (!_kdc_check_addresses(priv, tgt->caddr, from_addr)) {
ret = KRB5KRB_AP_ERR_BADADDR; if (config->check_ticket_addresses) {
kdc_log(context, config, 4, "Request from wrong address"); ret = KRB5KRB_AP_ERR_BADADDR;
goto out; kdc_log(context, config, 4, "Request from wrong address");
goto out;
} else if (config->warn_ticket_addresses) {
kdc_log(context, config, 4, "Request from wrong address (ignoring)");
}
} }
/* check local and per-principal anonymous ticket issuance policy */ /* check local and per-principal anonymous ticket issuance policy */

3
lib/krb5/krb5.conf.5
View File

@@ -773,6 +773,9 @@ target service principal's hdb entry's current keyset. Defaults to TRUE.
.It Li check-ticket-addresses = Va BOOL .It Li check-ticket-addresses = Va BOOL
Verify the addresses in the tickets used in tgs requests. Verify the addresses in the tickets used in tgs requests.
.\" XXX .\" XXX
.It Li warn_ticket_addresses = Va BOOL
Warn about, but allow, usage of tickets from hosts that don't match the
addresses in the tickets.
.It Li allow-null-ticket-addresses = Va BOOL .It Li allow-null-ticket-addresses = Va BOOL
Allow address-less tickets. Allow address-less tickets.
.\" XXX .\" XXX

1
lib/krb5/krb5.h
View File

@@ -439,6 +439,7 @@ typedef union {
/* flags for krb5_verify_ap_req */ /* flags for krb5_verify_ap_req */
#define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0) #define KRB5_VERIFY_AP_REQ_IGNORE_INVALID (1 << 0)
#define KRB5_VERIFY_AP_REQ_IGNORE_ADDRS (1 << 1)
#define KRB5_GC_CACHED (1U << 0) #define KRB5_GC_CACHED (1U << 0)
#define KRB5_GC_USER_USER (1U << 1) #define KRB5_GC_USER_USER (1U << 1)

22
lib/krb5/rd_req.c
View File

@@ -307,6 +307,7 @@ krb5_verify_ap_req2(krb5_context context,
krb5_auth_context ac; krb5_auth_context ac;
krb5_error_code ret; krb5_error_code ret;
EtypeList etypes; EtypeList etypes;
int badaddr = 0;
memset(&etypes, 0, sizeof(etypes)); memset(&etypes, 0, sizeof(etypes));
@@ -391,9 +392,19 @@ krb5_verify_ap_req2(krb5_context context,
&& !krb5_address_search (context, && !krb5_address_search (context,
ac->remote_address, ac->remote_address,
t->ticket.caddr)) { t->ticket.caddr)) {
ret = KRB5KRB_AP_ERR_BADADDR; /*
krb5_clear_error_message (context); * Hack alert. If KRB5_VERIFY_AP_REQ_IGNORE_ADDRS and the client's
goto out; * address didn't check out then we'll return KRB5KRB_AP_ERR_BADADDR
* even on success, and we'll let the caller figure it out because
* `*ticket != NULL' or `*auth_context != NULL'.
*/
if ((flags & KRB5_VERIFY_AP_REQ_IGNORE_ADDRS)) {
badaddr = 1;
} else {
ret = KRB5KRB_AP_ERR_BADADDR;
krb5_clear_error_message(context);
goto out;
}
} }
/* check timestamp in authenticator */ /* check timestamp in authenticator */
@@ -463,6 +474,11 @@ krb5_verify_ap_req2(krb5_context context,
} else } else
krb5_auth_con_free (context, ac); krb5_auth_con_free (context, ac);
free_EtypeList(&etypes); free_EtypeList(&etypes);
if (badaddr) {
krb5_clear_error_message(context);
return KRB5KRB_AP_ERR_BADADDR;
}
return 0; return 0;
out: out:
free_EtypeList(&etypes); free_EtypeList(&etypes);