[krbdev.mit.edu #2641] KRB5_KDB_DISALLOW_SVR flag unnecessarily prevents User2User

The RT System itself via RT rt-comment at krbdev.mit.edu
Mon Jul 19 21:22:36 EDT 2004 

>From krb5-bugs-incoming-bounces at mit.edu  Mon Jul 19 21:22:31 2004
Received: from pch.mit.edu (PCH.MIT.EDU [18.7.21.90]) by krbdev.mit.edu (8.9.3p2) with ESMTP
	id VAA24577; Mon, 19 Jul 2004 21:22:31 -0400 (EDT)
Received: from pch.mit.edu (localhost [127.0.0.1])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i6K1MUl1027239
	for <krb5-send-pr at krbdev.mit.edu>; Mon, 19 Jul 2004 21:22:30 -0400 (EDT)
Received: from fort-point-station.mit.edu (FORT-POINT-STATION.MIT.EDU
	[18.7.7.76])
	by pch.mit.edu (8.12.8p2/8.12.8) with ESMTP id i6FNR8l1007521
	for <krb5-bugs-incoming at PCH.mit.edu>;
	Thu, 15 Jul 2004 19:27:08 -0400 (EDT)
Received: from MM01SNLNTO.son.sandia.gov (mm01snlnto.sandia.gov
	[132.175.109.20])i6FNR7cZ029555
	for <krb5-bugs at mit.edu>; Thu, 15 Jul 2004 19:27:07 -0400 (EDT)
Received: from 132.175.109.1 by mm02snlnto.son.sandia.gov with ESMTP (
 Tumbleweed MMS SMTP Relay 01 (MMS v5.6.1)); Thu, 15 Jul 2004 17:26:58
 -0600
X-Server-Uuid: 8A37177F-35F9-47CF-80CF-3627B2E578DE
Received: from es08snlnt.sandia.gov (smtp-in.sandia.gov [134.253.130.11]
 ) by sass165.sandia.gov (8.12.10/8.12.10) with ESMTP id i6FNQuYH024869
 for <krb5-bugs at mit.edu>; Thu, 15 Jul 2004 17:26:56 -0600 (MDT)
Received: by es08snlnt.sandia.gov with Internet Mail Service (
 5.5.2653.19) id <3C9NAKS8>; Thu, 15 Jul 2004 17:26:55 -0600
Message-ID: <AC89BDA1E3CCBC42B9CA5B50FE7934D3067819FC at es10snlnt.sandia.gov>
From: "Moore, Patrick" <pcmoore at sandia.gov>
To: "'krb5-bugs at mit.edu'" <krb5-bugs at mit.edu>
Date: Thu, 15 Jul 2004 17:26:55 -0600
MIME-Version: 1.0
X-Mailer: Internet Mail Service (5.5.2653.19)
X-PMX-Version: 4.6.0.99824, Antispam-Core: 4.6.1.104326, Antispam-Data:
 2004.7.15.107631
X-WSS-ID: 6CE9CD481D868866-01-01
Content-Type: text/plain;
 charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Mon, 19 Jul 2004 21:22:28 -0400
Subject: KRB5_KDB_DISALLOW_SVR  flag  prevents User2User authentication
X-BeenThere: krb5-bugs-incoming at mit.edu
X-Mailman-Version: 2.1
Precedence: list
Sender: krb5-bugs-incoming-bounces at mit.edu
Errors-To: krb5-bugs-incoming-bounces at mit.edu


>Submitter-Id:	net
>Originator:	Pat Moore, pcmoore at sandia.gov 
>Organization:	Sandia National Laboratories
>Confidential:	no
>Synopsis:	KRB5_KDB_DISALLOW_SVR flag unnecessarily prevents User2User
authentication
>Severity:	non-critical
>Priority:	low
>Category:	krb5-kdc
>Class:	change-request
>Release:	krb5-1.3.4
>Environment: 
  N/A


>Description:
Reviving an old issue . . .
With MIT KDC, there is no way to allow user2user authentication unless you
also allow conventional service tickets for that user, which some sites
consider an unacceptable security risk.   

A couple years back, Nico Williams suggested (to the kerbdev list) a
potential fix via a simple patch to kdc/kdc_util.c. My fix below is
essentially Nico's suggestion. 

Note:  I know that DCE KDC's allow user2user without allowing conventional
service tickets (they use a special flag.) I understand that Msoft can allow
user2user without allowing conventional service tickets. 


>How-To-Repeat:
       If you set "+allow svr" and "+allow dup skey", then you can get a
user2user ticket for that principal, but unfortunately you can also get a
conventional ticket.  If you set "-allow svr" and "allow dup skey", you
cannot get a user2user ticket for that principal. 


>Fix:
 

Seems sensible that if a principal was set "-allow svr" AND "+allow dup
skey" that user2user tickets should work, and conventional service tickets
should not work. The patch below would provide that functionality. 
       
*** kdc_util.orig.c   Thu Jul 15 13:42:01 2004
--- kdc_util.new.c    Thu Jul 15 13:44:51 2004
***************
*** 1271,1277 ****
      }

      /* Server must be allowed to be a service */
!     if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR)) {
        *status = "SERVER NOT ALLOWED";
        return(KDC_ERR_S_PRINCIPAL_UNKNOWN);
      }
--- 1271,1278 ----
      }

      /* Server must be allowed to be a service */
!     if (isflagset(server.attributes, KRB5_KDB_DISALLOW_SVR) &&
!          !isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) {
        *status = "SERVER NOT ALLOWED";
        return(KDC_ERR_S_PRINCIPAL_UNKNOWN);
      }

More information about the krb5-bugs mailing list