krb5 commit: Allow aliases when matching U2U second ticket

Greg Hudson ghudson at mit.edu
Tue Sep 22 17:24:15 EDT 2020 

https://github.com/krb5/krb5/commit/afc494ef9418e6be7fbb887364efa6606b10034a
commit afc494ef9418e6be7fbb887364efa6606b10034a
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Tue Sep 22 01:17:11 2020 +0300

    Allow aliases when matching U2U second ticket
    
    In process_tgs_req() when verifying the user-to-user second ticket,
    compare the canonical names of the request server and the second
    ticket client.
    
    [ghudson at mit.edu: expanded commit message; trimmed tests]
    
    ticket: 8951 (new)

 src/kdc/do_tgs_req.c |    2 +-
 src/tests/t_u2u.py   |   25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+), 1 deletions(-)

diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index 8860fe8..0a2be2c 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -648,7 +648,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
          */
         krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
         krb5_principal client2 = t2enc->client;
-        if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+        if (!is_client_db_alias(kdc_context, server, client2)) {
             altcprinc = client2;
             errcode = KRB5KDC_ERR_SERVER_NOMATCH;
             status = "2ND_TKT_MISMATCH";
diff --git a/src/tests/t_u2u.py b/src/tests/t_u2u.py
index 1ca6ac8..4b8a82a 100644
--- a/src/tests/t_u2u.py
+++ b/src/tests/t_u2u.py
@@ -32,4 +32,29 @@ realm.run([kvno, '--u2u', realm.ccache, realm.user_princ])
 
 realm.run([klist])
 
+realm.stop()
+
+# Load the test KDB module to test aliases
+testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'},
+              'user': {'keys': 'aes128-cts', 'flags': '+preauth'},
+              'WIN10': {'keys': 'aes128-cts'}}
+kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
+           'dbmodules': {'test': {'db_library': 'test',
+                                  'princs': testprincs,
+                                  'alias': {'HOST/win10': 'WIN10'}}}}
+
+realm = K5Realm(kdc_conf=kdcconf, create_kdb=False)
+realm.start_kdc()
+
+# Create a second user principal and get tickets for it.
+u2u_ccache = 'FILE:' + os.path.join(realm.testdir, 'ccu2u')
+realm.extract_keytab('WIN10', realm.keytab)
+realm.kinit('WIN10', None, ['-k', '-c', u2u_ccache])
+
+realm.extract_keytab(realm.user_princ, realm.keytab)
+realm.kinit(realm.user_princ, None, ['-k'])
+
+realm.run([kvno, '--u2u', u2u_ccache, 'HOST/win10'], expected_msg='kvno = 0')
+realm.run([kvno, '--u2u', u2u_ccache, 'WIN10'], expected_msg='kvno = 0')
+
 success('user-to-user tests')

More information about the cvs-krb5 mailing list