oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

kdc: add enable_fast option (enabled by default)

Browse Source 
This makes it possible to disable fast if needed,
which is very good for regression tests.
Samba disables this in a few test environments with this
option.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15002
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15005

Signed-off-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Stefan Metzmacher
2022-03-08 16:11:39 +01:00
committed by Luke Howard
parent 348a03e48e
commit c4216b17a8
5 changed files with 18 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
kdc/default_config.c
View File

@@ -101,6 +101,7 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
c->strict_nametypes = FALSE; c->strict_nametypes = FALSE;
c->trpolicy = TRPOLICY_ALWAYS_CHECK; c->trpolicy = TRPOLICY_ALWAYS_CHECK;
c->require_pac = FALSE; c->require_pac = FALSE;
c->enable_fast = TRUE;
c->enable_armored_pa_enc_timestamp = TRUE; c->enable_armored_pa_enc_timestamp = TRUE;
c->enable_unarmored_pa_enc_timestamp = TRUE; c->enable_unarmored_pa_enc_timestamp = TRUE;
c->enable_pkinit = FALSE; c->enable_pkinit = FALSE;
@@ -262,6 +263,14 @@ krb5_kdc_get_config(krb5_context context, krb5_kdc_configuration **config)
"require_pac", "require_pac",
NULL); NULL);
c->enable_fast =
krb5_config_get_bool_default(context,
NULL,
c->enable_fast,
"kdc",
"enable_fast",
NULL);
c->enable_armored_pa_enc_timestamp = c->enable_armored_pa_enc_timestamp =
krb5_config_get_bool_default(context, krb5_config_get_bool_default(context,
NULL, NULL,

3
kdc/fast.c
View File

@@ -756,6 +756,9 @@ _kdc_fast_unwrap_request(astgs_request_t r,
const PA_DATA *pa; const PA_DATA *pa;
int i = 0; int i = 0;
if (!r->config->enable_fast)
return 0;
ret = fast_unwrap_request(r, tgs_ticket, tgs_ac); ret = fast_unwrap_request(r, tgs_ticket, tgs_ac);
if (ret) if (ret)
return ret; return ret;

1
kdc/kdc_locl.h
View File

@@ -100,6 +100,7 @@ struct krb5_kdc_configuration {
enum krb5_kdc_trpolicy trpolicy; enum krb5_kdc_trpolicy trpolicy;
unsigned int require_pac : 1; unsigned int require_pac : 1;
unsigned int enable_fast : 1;
unsigned int enable_armored_pa_enc_timestamp : 1; unsigned int enable_armored_pa_enc_timestamp : 1;
unsigned int enable_unarmored_pa_enc_timestamp : 1; unsigned int enable_unarmored_pa_enc_timestamp : 1;

3
kdc/krb5tgs.c
View File

@@ -902,6 +902,9 @@ validate_fast_ad(astgs_request_t r, krb5_authdata *auth_data)
krb5_data_zero(&data); krb5_data_zero(&data);
if (!r->config->enable_fast)
return 0;
ret = _krb5_get_ad(r->context, auth_data, NULL, ret = _krb5_get_ad(r->context, auth_data, NULL,
KRB5_AUTHDATA_FX_FAST_USED, &data); KRB5_AUTHDATA_FX_FAST_USED, &data);
if (ret == 0) { if (ret == 0) {

2
lib/krb5/krb5.conf.5
View File

@@ -816,6 +816,8 @@ addresses in the tickets.
.It Li allow-null-ticket-addresses = Va BOOL .It Li allow-null-ticket-addresses = Va BOOL
Allow address-less tickets. Allow address-less tickets.
.\" XXX .\" XXX
.It Li enable_fast = Va BOOL
Enable RFC 6113 FAST support, this is enabled by default.
.It Li enable_armored_pa_enc_timestamp = Va BOOL .It Li enable_armored_pa_enc_timestamp = Va BOOL
Enable armored encrypted timestamp pre-authentication with key Enable armored encrypted timestamp pre-authentication with key
strengthening. strengthening.