kdc u2u patch, kind of a bugfix...

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

kdc u2u patch, kind of a bugfix...

Chris Hecker

Hi, I'm finally getting around to porting my old 1.9 patches to the
latest krb5 source code, and here's the first one...I'll do this as a
pull request, but figured maybe it wanted some discussion?  Or do you
prefer the discussion to happen on the pull request?

Anyway, the kdc checks if KRB5_KDB_DISALLOW_SVR is set, and if it is,
then it errors with a KDC_ERR_MUST_USE_USER2USER, except it doesn't
actually handle the case where I am actually using u2u, so this fixes that.

I haven't tested it on 1.16 yet (will this week), but it has had 5 years
of testing on 1.9!  :)

I'm also going to submit my old patch that disables ticket issuing if
allow_tix has been turned off, as discussed here years ago, and with
that I fixed the db_entry pass-by-value stuff in kdc_util.c, which I
found was listed here: https://k5wiki.kerberos.org/wiki/Cleanups so I
assume you'd be interested in those changes as well.

Chris


diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index 21af360..0356a47 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -733,7 +733,8 @@ validate_as_request(kdc_realm_t *kdc_active_realm,
      }

      /* Check to see if server is allowed to be a service */
-    if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
+    if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR) &&
+        !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
          *status = "SERVICE NOT ALLOWED";
          return(KDC_ERR_MUST_USE_USER2USER);
      }
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kdc u2u patch, kind of a bugfix...

Greg Hudson
On 07/23/2018 07:53 AM, Chris Hecker wrote:> Hi, I'm finally getting
around to porting my old 1.9 patches to the
> latest krb5 source code, and here's the first one...I'll do this as a
> pull request, but figured maybe it wanted some discussion?  Or do you
> prefer the discussion to happen on the pull request?

We mainly discuss patches in pull requests, occasionally using this list
to call out design issues which could benefit from wider participation.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kdc u2u patch, kind of a bugfix...

Chris Hecker

Okay, cool, I'll do it there.  Is it okay if I make the patch compile
against the latest like requested on the page, but actually test on an
earlier production version (like 1.15.3 or 1.16.1)?  I don't want to
test on non-production builds on my main server, but I'll be testing
these patches on a production server (and I've been running them for
years previously).

Also, would you guys be interested in a patch to the kvno tool to
request u2u tickets for testing, kind of like the -U and -P parms for
delegation switches?  I don't see any non-code way of getting a u2u
ticket for testing with the normal utilities, or did I miss something?

Chris




On 2018-07-23 07:47, Greg Hudson wrote:
> On 07/23/2018 07:53 AM, Chris Hecker wrote:> Hi, I'm finally getting
> around to porting my old 1.9 patches to the
>> latest krb5 source code, and here's the first one...I'll do this as a
>> pull request, but figured maybe it wanted some discussion?  Or do you
>> prefer the discussion to happen on the pull request?
>
> We mainly discuss patches in pull requests, occasionally using this
> list to call out design issues which could benefit from wider
> participation.

_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kdc u2u patch, kind of a bugfix...

Greg Hudson
On 07/23/2018 02:29 PM, Chris Hecker wrote:
> Also, would you guys be interested in a patch to the kvno tool to
> request u2u tickets for testing, kind of like the -U and -P parms for
> delegation switches?

How would that work?  A u2u request requires a TGT (just the ticket, not
knowledge of its session key) for the target user.  I guess kvno could
be given the name of a ccache containing that TGT and read it out?  That
would probably be okay.
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kdc u2u patch, kind of a bugfix...

Idan Freiberg
Is that patch enables support for u2u mech?
בתאריך יום ו׳, 27 ביולי 2018 ב-18:17 מאת Greg Hudson <[hidden email]>:

> On 07/23/2018 02:29 PM, Chris Hecker wrote:
> > Also, would you guys be interested in a patch to the kvno tool to
> > request u2u tickets for testing, kind of like the -U and -P parms for
> > delegation switches?
>
> How would that work?  A u2u request requires a TGT (just the ticket, not
> knowledge of its session key) for the target user.  I guess kvno could
> be given the name of a ccache containing that TGT and read it out?  That
> would probably be okay.
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
--
Idan Freiberg

GPG FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kdc u2u patch, kind of a bugfix...

Chris Hecker
In reply to this post by Greg Hudson
Yeah, I was thinking it would take another ccachd as it's param.

Chris


On Fri, Jul 27, 2018 at 08:17 Greg Hudson <[hidden email]> wrote:

> On 07/23/2018 02:29 PM, Chris Hecker wrote:
> > Also, would you guys be interested in a patch to the kvno tool to
> > request u2u tickets for testing, kind of like the -U and -P parms for
> > delegation switches?
>
> How would that work?  A u2u request requires a TGT (just the ticket, not
> knowledge of its session key) for the target user.  I guess kvno could
> be given the name of a ccache containing that TGT and read it out?  That
> would probably be okay.
>
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev
Reply | Threaded
Open this post in threaded view
|

Re: kdc u2u patch, kind of a bugfix...

Idan Freiberg
Oh, I can help testing it against MS KDC.
I’ll have a look

בתאריך יום ו׳, 27 ביולי 2018 ב-19:19 מאת Chris Hecker <[hidden email]>:

> Yeah, I was thinking it would take another ccachd as it's param.
>
> Chris
>
>
> On Fri, Jul 27, 2018 at 08:17 Greg Hudson <[hidden email]> wrote:
>
> > On 07/23/2018 02:29 PM, Chris Hecker wrote:
> > > Also, would you guys be interested in a patch to the kvno tool to
> > > request u2u tickets for testing, kind of like the -U and -P parms for
> > > delegation switches?
> >
> > How would that work?  A u2u request requires a TGT (just the ticket, not
> > knowledge of its session key) for the target user.  I guess kvno could
> > be given the name of a ccache containing that TGT and read it out?  That
> > would probably be okay.
> >
> _______________________________________________
> krbdev mailing list             [hidden email]
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
--
Idan Freiberg

GPG FP: 8108 7EC9 806E 4980 75F2  72B3 8AD3 2D04 337B 1F18
_______________________________________________
krbdev mailing list             [hidden email]
https://mailman.mit.edu/mailman/listinfo/krbdev