From d683780b1d728bf8c5b794a1f66842e5a25bd360 Mon Sep 17 00:00:00 2001 From: Luke Howard Date: Sat, 1 Jan 2022 23:44:05 +1100 Subject: [PATCH] kdc: separate PKINIT/GSS authorization failure Create a new audit event for PKINIT/GSS authorization (impersonation) failure --- kdc/kerberos5.c | 14 ++++++++------ lib/hdb/hdb.h | 12 +++++++----- 2 files changed, 15 insertions(+), 11 deletions(-) diff --git a/kdc/kerberos5.c b/kdc/kerberos5.c index a324b6894..70fa1b6d0 100644 --- a/kdc/kerberos5.c +++ b/kdc/kerberos5.c @@ -501,7 +501,7 @@ pa_pkinit_validate(astgs_request_t r, const PA_DATA *pa) _kdc_set_e_text(r, "PKINIT certificate not allowed to " "impersonate principal"); _kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT, - HDB_AUTH_EVENT_PKINIT_FAILED); + HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED); goto out; } @@ -554,7 +554,7 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa) _kdc_set_e_text(r, "GSS-API client not allowed to " "impersonate principal"); _kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT, - HDB_AUTH_EVENT_GSS_PA_FAILED); + HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED); goto out; } @@ -562,6 +562,8 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa) _kdc_r_log(r, 4, "GSS pre-authentication succeeded -- %s using %s", r->cname, client_name); + _kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT, + HDB_AUTH_EVENT_GSS_PA_SUCCEEDED); ret = _kdc_gss_mk_composite_name_ad(r, gcp); if (ret) { @@ -572,15 +574,15 @@ pa_gss_validate(astgs_request_t r, const PA_DATA *pa) ret = _kdc_gss_mk_pa_reply(r, gcp); if (ret) { - if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED) + if (ret != KRB5_KDC_ERR_MORE_PREAUTH_DATA_REQUIRED) { _kdc_set_e_text(r, "Failed to build GSS pre-authentication reply"); + _kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT, + HDB_AUTH_EVENT_GSS_PA_FAILED); + } goto out; } - _kdc_audit_addkv_number((kdc_request_t)r, HDB_REQUEST_KV_AUTH_EVENT, - HDB_AUTH_EVENT_GSS_PA_SUCCEEDED); - heim_assert(r->pa_state == NULL, "already have PA state, should be NULL"); r->pa_state = (struct as_request_pa_state *)gcp; gcp = NULL; diff --git a/lib/hdb/hdb.h b/lib/hdb/hdb.h index 8fd35b657..952658b18 100644 --- a/lib/hdb/hdb.h +++ b/lib/hdb/hdb.h @@ -94,11 +94,13 @@ enum hdb_lockop{ HDB_RLOCK, HDB_WLOCK }; #define HDB_AUTH_EVENT_LTK_PREAUTH_FAILED 5 /* long term key preauth failed */ #define HDB_AUTH_EVENT_LTK_PREAUTH_SUCCEEDED 6 /* long term key preauth succeeded */ #define HDB_AUTH_EVENT_PKINIT_SUCCEEDED 7 /* PKINIT preauth succeeded */ -#define HDB_AUTH_EVENT_PKINIT_FAILED 8 /* PKINIT preauth succeeded */ -#define HDB_AUTH_EVENT_GSS_PA_SUCCEEDED 9 /* GSS preauth succeeded */ -#define HDB_AUTH_EVENT_GSS_PA_FAILED 10 /* GSS preauth failed */ -#define HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED 11 /* unknown preauth failed */ -#define HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED 12 /* unknown preauth succeeded */ +#define HDB_AUTH_EVENT_PKINIT_NOT_AUTHORIZED 8 /* PKINIT cert not authorized */ +#define HDB_AUTH_EVENT_PKINIT_FAILED 9 /* PKINIT preauth succeeded */ +#define HDB_AUTH_EVENT_GSS_PA_SUCCEEDED 10 /* GSS preauth succeeded */ +#define HDB_AUTH_EVENT_GSS_PA_NOT_AUTHORIZED 11 /* GSS preauth mapping failed */ +#define HDB_AUTH_EVENT_GSS_PA_FAILED 12 /* GSS preauth failed */ +#define HDB_AUTH_EVENT_OTHER_PREAUTH_FAILED 13 /* unknown preauth failed */ +#define HDB_AUTH_EVENT_OTHER_PREAUTH_SUCCEEDED 14 /* unknown preauth succeeded */ /* * Audit keys to be queried using heim_audit_getkv(). There are other keys