kdc: ensure GSS-API pre-auth acceptor name is TGS
The target (acceptor) name for GSS-API pre-authentication should be the name of the TGS, not the server name in the AS-REQ, as it is the KDC which is being mutually authenticated. If the client is not requesting a TGT, they may differ.
This commit is contained in:
Luke Howard
@@ -140,6 +140,7 @@ pa_gss_acquire_acceptor_cred(astgs_request_t r,
|
|||||||
gss_cred_id_t *cred)
|
gss_cred_id_t *cred)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
|
krb5_principal tgs_name;
|
||||||
|
|
||||||
OM_uint32 major, minor;
|
OM_uint32 major, minor;
|
||||||
gss_name_t target_name = GSS_C_NO_NAME;
|
gss_name_t target_name = GSS_C_NO_NAME;
|
||||||
@@ -148,7 +149,13 @@ pa_gss_acquire_acceptor_cred(astgs_request_t r,
|
|||||||
|
|
||||||
*cred = GSS_C_NO_CREDENTIAL;
|
*cred = GSS_C_NO_CREDENTIAL;
|
||||||
|
|
||||||
ret = _krb5_gss_pa_unparse_name(r->context, r->server_princ, &target_name);
|
ret = krb5_make_principal(r->context, &tgs_name, r->req.req_body.realm,
|
||||||
|
KRB5_TGS_NAME, r->req.req_body.realm, NULL);
|
||||||
|
if (ret)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
ret = _krb5_gss_pa_unparse_name(r->context, tgs_name, &target_name);
|
||||||
|
krb5_free_principal(r->context, tgs_name);
|
||||||
if (ret)
|
if (ret)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
|
|||||||
@@ -88,6 +88,7 @@ pa_gss_step(krb5_context context,
|
|||||||
krb5_data *out)
|
krb5_data *out)
|
||||||
{
|
{
|
||||||
krb5_error_code ret;
|
krb5_error_code ret;
|
||||||
|
krb5_principal tgs_name = NULL;
|
||||||
|
|
||||||
OM_uint32 major, minor;
|
OM_uint32 major, minor;
|
||||||
gss_cred_id_t cred;
|
gss_cred_id_t cred;
|
||||||
@@ -115,7 +116,12 @@ pa_gss_step(krb5_context context,
|
|||||||
|
|
||||||
ctx = (gss_ctx_id_t)_krb5_init_creds_get_gss_context(context, gssic);
|
ctx = (gss_ctx_id_t)_krb5_init_creds_get_gss_context(context, gssic);
|
||||||
|
|
||||||
ret = _krb5_gss_pa_unparse_name(context, kcred->server, &target_name);
|
ret = krb5_make_principal(context, &tgs_name, kcred->server->realm,
|
||||||
|
KRB5_TGS_NAME, kcred->server->realm, NULL);
|
||||||
|
if (ret)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
ret = _krb5_gss_pa_unparse_name(context, tgs_name, &target_name);
|
||||||
if (ret)
|
if (ret)
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
@@ -154,6 +160,7 @@ pa_gss_step(krb5_context context,
|
|||||||
out:
|
out:
|
||||||
gss_release_name(&minor, &target_name);
|
gss_release_name(&minor, &target_name);
|
||||||
gss_release_buffer(&minor, &output_token);
|
gss_release_buffer(&minor, &output_token);
|
||||||
|
krb5_free_principal(context, tgs_name);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
@@ -162,6 +169,7 @@ static krb5_error_code KRB5_LIB_CALL
|
|||||||
pa_gss_finish(krb5_context context,
|
pa_gss_finish(krb5_context context,
|
||||||
krb5_gss_init_ctx gssic,
|
krb5_gss_init_ctx gssic,
|
||||||
const krb5_creds *kcred,
|
const krb5_creds *kcred,
|
||||||
|
gss_ctx_id_t ctx,
|
||||||
krb5int32 nonce,
|
krb5int32 nonce,
|
||||||
krb5_enctype enctype,
|
krb5_enctype enctype,
|
||||||
krb5_principal *client_p,
|
krb5_principal *client_p,
|
||||||
|
|||||||
Reference in New Issue
Block a user