kadmin: Add disallow-client attribute

This is useful for services that need not be clients.  For example, an
untrusted service that need only accept authentication from clients,
but not initiate authentication to other services.
This commit is contained in:
Nicolas Williams
2021-06-22 12:59:01 -05:00
parent f6ac4ee864
commit ae8908bf81
6 changed files with 37 additions and 11 deletions

@ -336,10 +336,14 @@ Possible attributes are:
.Li new-princ ,
.Li support-desmd5 ,
.Li pwchange-service ,
.Li disallow-client ,
.Li disallow-svr ,
.Li requires-pw-change ,
.Li requires-hw-auth ,
.Li requires-pre-auth ,
.Li allow-digest ,
.Li trusted-for-delegation ,
.Li ok-as-delegate ,
.Li disallow-all-tix ,
.Li disallow-dup-skey ,
.Li disallow-proxiable ,

@ -54,6 +54,7 @@ struct units kdb_attrs[] = {
{ "new-princ", KRB5_KDB_NEW_PRINC },
{ "support-desmd5", KRB5_KDB_SUPPORT_DESMD5 },
{ "pwchange-service", KRB5_KDB_PWCHANGE_SERVICE },
{ "disallow-client", KRB5_KDB_DISALLOW_CLIENT },
{ "disallow-svr", KRB5_KDB_DISALLOW_SVR },
{ "requires-pw-change", KRB5_KDB_REQUIRES_PWCHANGE },
{ "requires-hw-auth", KRB5_KDB_REQUIRES_HW_AUTH },

@ -69,13 +69,30 @@
#define KRB5_KDB_PWCHANGE_SERVICE 0x00002000
#define KRB5_KDB_SUPPORT_DESMD5 0x00004000
#define KRB5_KDB_NEW_PRINC 0x00008000
#define KRB5_KDB_OK_AS_DELEGATE 0x00010000
#define KRB5_KDB_TRUSTED_FOR_DELEGATION 0x00020000
#define KRB5_KDB_ALLOW_KERBEROS4 0x00040000
#define KRB5_KDB_ALLOW_DIGEST 0x00080000
#define KRB5_KDB_MATERIALIZE 0x00100000
#define KRB5_KDB_VIRTUAL_KEYS 0x00200000
#define KRB5_KDB_VIRTUAL 0x00400000
#define KRB5_KDB_OK_AS_DELEGATE 0x00010000 /* 0x00100000 in MIT */
#define KRB5_KDB_TRUSTED_FOR_DELEGATION 0x00020000 /* MIT has as 0x00200000 */
#define KRB5_KDB_ALLOW_KERBEROS4 0x00040000 /* MIT doesn't have this; XXX remove */
#define KRB5_KDB_ALLOW_DIGEST 0x00080000 /* MIT doesn't have this */
#define KRB5_KDB_MATERIALIZE 0x00100000 /* MIT doesn't have this */
#define KRB5_KDB_VIRTUAL_KEYS 0x00200000 /* MIT doesn't have this */
#define KRB5_KDB_VIRTUAL 0x00400000 /* MIT doesn't have this */
#define KRB5_KDB_DISALLOW_CLIENT 0x00800000 /* MIT doesn't have this */
/*
* MIT has:
*
* - Same as our KRB5_KDB_TRUSTED_FOR_DELEGATION:
*
* #define KRB5_KDB_OK_TO_AUTH_AS_DELEGATE 0x00200000 // S4U2Self OK
*
* - Misc:
*
* #define KRB5_KDB_NO_AUTH_DATA_REQUIRED 0x00400000 // Don't lookup / add
* // authz data
* #define KRB5_KDB_LOCKDOWN_KEYS 0x00800000 // Don't allow
* // deletion of princ
*/
#define KADM5_PRINCIPAL 0x000001U
#define KADM5_PRINC_EXPIRE_TIME 0x000002U

@ -55,7 +55,7 @@ attr_to_flags(unsigned attr, HDBFlags *flags)
/* HW_AUTH */
flags->server = !(attr & KRB5_KDB_DISALLOW_SVR);
flags->change_pw = !!(attr & KRB5_KDB_PWCHANGE_SERVICE);
flags->client = 1; /* XXX */
flags->client = !(attr & KRB5_KDB_DISALLOW_CLIENT);
flags->ok_as_delegate = !!(attr & KRB5_KDB_OK_AS_DELEGATE);
flags->trusted_for_delegation = !!(attr & KRB5_KDB_TRUSTED_FOR_DELEGATION);
flags->allow_kerberos4 = !!(attr & KRB5_KDB_ALLOW_KERBEROS4);
@ -162,10 +162,10 @@ perform_tl_data(krb5_context context,
}
static void
default_flags(hdb_entry_ex *ent, int server)
default_flags(hdb_entry_ex *ent)
{
ent->entry.flags.client = 1;
ent->entry.flags.server = !!server;
ent->entry.flags.server = 1;
ent->entry.flags.forwardable = 1;
ent->entry.flags.proxiable = 1;
ent->entry.flags.renewable = 1;
@ -209,7 +209,7 @@ _kadm5_setup_entry(kadm5_server_context *context,
attr_to_flags(def->attributes, &ent->entry.flags);
ent->entry.flags.invalid = 0;
} else {
default_flags(ent, 1);
default_flags(ent);
}
}

@ -176,6 +176,7 @@ kadm5_s_get_principal(void *server_handle,
out->attributes |= ent.entry.flags.invalid ? KRB5_KDB_DISALLOW_ALL_TIX : 0;
out->attributes |= ent.entry.flags.require_preauth ? KRB5_KDB_REQUIRES_PRE_AUTH : 0;
out->attributes |= ent.entry.flags.require_pwchange ? KRB5_KDB_REQUIRES_PWCHANGE : 0;
out->attributes |= ent.entry.flags.client ? 0 : KRB5_KDB_DISALLOW_CLIENT;
out->attributes |= ent.entry.flags.server ? 0 : KRB5_KDB_DISALLOW_SVR;
out->attributes |= ent.entry.flags.change_pw ? KRB5_KDB_PWCHANGE_SERVICE : 0;
out->attributes |= ent.entry.flags.ok_as_delegate ? KRB5_KDB_OK_AS_DELEGATE : 0;

@ -361,6 +361,7 @@ trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1
ec=0
echo "Getting client initial tickets with wrong password"; > messages.log
${kadmin} modify --attributes=+disallow-client ${server} || exit 1
${kinit} --password-file=${objdir}/notfoopassword \
foo@${R} 2>kinit-log.tmp && \
{ ec=1 ; eval "${testfailed}"; }
@ -626,6 +627,8 @@ done
${kdestroy}
echo "Getting server initial tickets"; > messages.log
${kinit} --keytab=${keytab} ${server}@$R && { ec=1 ; eval "${testfailed}"; }
${kadmin} modify --attributes=-disallow-client ${server} || exit 1
${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
echo "Listing tickets"; > messages.log
${klist} | grep "Principal: ${server}" > /dev/null || \